You should submit the following TWO files:
For each question, include the following (where applicable or otherwise unspecified):
Note that, depending on the question, some of the above requirements will not necessarily exist. Also, #1 and #2 from above can often be combined into a single screencap. Also note that some questions may explicitly state what to submit. This is to ensure you submit the correct information we're looking for, and the other requirements are expected as well (see list above).
These requirements may seem tedious and unnecessary; however, they are useful for markers to see that you completed each question, explained that you understood the question, and provided proof that the task was successfully completed.
When in doubt, explain as much as you can. I need to see that you understand the answer and the process you used to get the answer. Not including an explanation or providing too little explanation may result in lost marks.
johnsmith-assignment1[.zip/.tar.gz/.tar.xz]
ls
command as well as the stat
command.gidSearch() { ...; }
...
with the commands you require to find the group name for the ID. In your commands you can use the $1
token to represent the GID passed to the function as an argument. I.e. a function defined: gidSearch() { echo $1; }
when run as gidSearch 100
would output users
comp4108@node00:$ gidSearch 100 users comp4108@node00:$ gidSearch 45 sasl
cat
, grep
, and cut
piped together. Read the man
page for each. There are many possible solutions!
/A1/Haystack
that have the following properties:comp4108
. Include the command used and the resulting list.root
. Include the number of directories but NOT THE ENTIRE LIST.wc
commandsshd
. Include the command used and the resulting list.777
. Include the command used and the resulting list.find
command!
777
in /A1/Haystack
to have permissions 750
instead.find
's -exec
argument and the chmod
command. You may need to prefix your find
command with sudo
to run it with root permissions (since you are changing permissions on directories you don't own)
mkdir
:top |--- middle | |-- bottom | |--- middle_two | |-- bottom_two | |-- end_of_line | |--- middle_three
bottom
and bottom_two
to 664
foo.txt
in middle_three
and grant the execute permission for user and grouptop
to root
using the sudo
and chown
commandtop
to www-data
using sudo
and the chgrp
command.mkdir
's -p
flag.tree top
.
/usr/bin
with the setuid bit set.find
command for part a.
For Part B you will need to use getfacl
, setfacl
, chmod
, usermod
and find
to manipulate the access control lists for a directory structure. Use sudo
as required if you encounter permission denied errors. Consult man pages for commands to complete each question.
In /A1/Gotham
you will find a directory tree as follows:
Gotham | |-- Arkham | |-- GothamPD | '-- WayneManor | |-- Batcave | '-- MasterBedroom
chmod
to add rx
permissions for the other
category to Gotham
and ALL its sub-directories.chmod
.
setfacl
to add read and write permissions to Gotham
, Arkham
and GothamPD
for the user jgordon
setfacl
to add read, write, and execute permissions toWayneManor
, Batcave
and MasterBedroom
for the user bwayne
.
setfacl
to remove the ACL entries on Arkham
for the users skyle
and ocobblepot
.
find
's -exec
argument and the getfacl
command.
In this part of the assignment you will learn to exploit a classic time of check versus time of use (ToCToU) vulnerability in order to gain root access on your VM. You should prepare for this part of the assignment by reading the general description of this class of vulnerability. You may read the Wikipedia article on TOCTOU and the content from Chapter 6 of the course's textbook materials, or Safe Temporary File Use section from Computer Security: Princples and Practice by Stallings and Brown.
When answering these questions, please provide a brief narrative explaining the problem and what steps you took for the solution. Provide enough detail to demonstrate that you understand the problem and solution.
/A1/Racing/Slow
you will find a vulnerable application called vuln_slow
. In order to ease you into exploiting a ToCToU race condition this example vulnerable application has been written to accept two arguments: a delay in seconds and a message to write to a debug file. In order to ease the exploitation process, vuln_slow
checks the permissions on its debug file, sleeps for the provided number of seconds, and then writes to the debug file. A real vulnerable program would not let you determine how long it sleeps between time of check and time of use! This is to allow you to exploit the binary with high success using manually entered commands./A1/Racing/Slow
directory you will also find a file named root_file
that is owned by root and has no write permissions for any other users. Your objective is to exploit vuln_slow
into writing a message you provide into root_file
.strace
command to learn the location of the debug file that vuln_slow
writes its output to. Inspect the debug file to check that the message you provided to vuln_slow
was appended to the debug file.vuln_slow
with a test message and a large delay, 30 to 60 seconds is recommended.vuln_slow
is sleeping, you must delete the log file it checked, and replace it with a symbolic link to root_file
using the ln
command.root_file
. Remember: Timing is everything! Use a larger sleep time and be prepared to enter the correct commands quickly, and without error.
root_file
. Include an explanation of why the attack works. access()
system call in relation to real UIDs and effective UIDs, and a reference to setuid.
/A1/Racing/Fast
you will find the same vulnerable program (this time named vuln_fast
) modified to no longer accept a sleep time argument. This program uses the same debug file location you found in Part A, Step 1 (you can verify this again using strace
if you want).vuln.sh
and exploit.sh
.vuln.sh
, removes the debug file (to clean up from any old exploit attempts) and runs the vulnerable program in a tight loop with a high nice value (to increase your chances of exploitation, see man nice
to understand why).exploit.sh
, removes the debug file, and generates a symbolic link to a specified target in its place. This also happens in a tight loop such that exploit.sh
and vuln.sh
when run at the same time are competing to access the debug file (or symlink).root
user by exploiting the vuln_fast
program to add your username to the root user's .rhosts
file to allow passwordless login using the rsh
and rlogin
commands..rhosts
file.vuln.sh
script (using nano
, or another text editor) to provide it the location of the debug filevuln.sh
script to give it the payload string you want written to the target file (see Hint!).exploit.sh
script to provide it the location of the debug fileexploit.sh
script to give it the target file for your attack (See Hint!).vuln.sh
script in one terminalexploit.sh
script in another terminalCtrl+C
in the respective terminalsrsh -l root localhost whoami
. If it was successful you should not be asked for a password and will receive the reply root
to the whoami
command. Remember, if it did not work you may have to repeat steps 5 onward due to the probabilistic nature of race conditions (if it failed, you will receive a permission denied error).rsh -l root localhost bash
to spawn a new superuser privileged shell with full control over the system.
nice
command is needed this time.
rsh
and rlogin
commands. The rsh
command allows you to run a shell command as a specified user on a remote (or local) machine. It first checks the specified user's .rhosts
file for a list of hosts and users that can execute commands without a password!.rhosts
file...