Username: 
Password: 
Restrict session to IP 

Warchall got rooted

Global Rank: 229
Totalscore: 84554
Posts: 1330
Thanks: 1180
UpVotes: 691
Registered: 11y 6d




Last Seen: 2d 3h
The User is Offline
Warchall got rooted
Google/translate3Thank You!0Good Post!1Bad Post! link
Yesterday i got an unexpected PM from one of the users, g00bER.

It only consists of a single line with a kind note Smile

Quote from g00bER

You might want to check /root/g00ber_was_here_too on warchall.net ;-)


Of course i did a cat /root/g00ber_was_here_too ... and here is the contents:

GeSHi`ed Plaintext code for g00ber_was_here_too
1
2
3
4
56
7
8
9
1011
12
13
14
1516
17
18
19
2021
22
23
24
2526
27
28
29
3031
 
Hey roots,
 
This is another root... g00r00t, originally known as g00bER! :-)
 Getting the root-level access in a wargame is a nice cherry on the top of the cake and the most rewarding one... and it wasn't any different in this case.
 
Now, how did I do that? The magic trick was a race condition on the level5 daemon (probably applicable to level6 too; didn't really try):
- It creates a file in user's homedir and changes the ownership and permissions for the file to that user.
- Ding, that smells like a race condition -- you can replace the file by a (hard)link to some sensitive file between its creation and the permissions/ownership modification.
- A suitable file could be /etc/passwd -- owning that one sounds like owning the machine; which is what I did; adding a new root-equivalent account.
 
A crude "proof of concept" code can be found in /home/user/g00ber/level/5; it's not perfect since it doesn't wait for the access rights to be set (to the weird value) before trying the race -- this widens the window, but has the adverse effect of putting weird permissions on /etc/passwd.
 
How to prevent it from happening in the future?
- It might be better to use fchmod/fchown (you know which file you're modifying at that time; since it's the same one you've been writing to) rather than chmod/chown. Of course, the file creation should be done in O_EXCL | O_CREAT mode.
- Also, having the user-writable files on one partition and the "important stuff" on another one helps with preventing hardlink-based attacks quite well.
- Probably the safest option is to create the "solution" files in a different place -- one that the user doesn't have write access to.
 
All the modifications should be back to their original state (i.e. ownership of /etc/passwd restored, g00r00t account removed); I'm sorry if I forgot something.
 
Also, there are a few ways of circumventing the sudosh thingy:
... removed
... removed
... removed
... removed
 
Okay, enough babbling for now -- if you want to discuss this hack or anything else, feel free to PM me.
 
g00bER, 2012-05-08, 01:30 GMT
 


This file nicely explains how he did it.
Many thanks from my side for playing nice and fair, and showing me my noobish mistakes on the challenge cronjobs.

Very well done!
gizmore
The geeks shall inherit the properties and methods of object earth.
Last edited by Gizmore - May 09, 2012 - 12:00:07
tunelko, TheHiveMind, Z, Ge0, samuraiblanco, arraez, jcquinterov, hophuocthinh, alfamen2, burhanudinn123, Ben_Dover, stephanduran89 have subscribed to this thread and receive emails on new posts.
1 people are watching the thread at the moment.
This thread has been viewed 2722 times.