首先从nebula开始,nebula设置了19个level,level00-level19,每一个level对应系统中的一个登陆账号,每一个level也对应home目录下的flag00-flag19这些账号。
一般来说如果你能用levelXX登陆,经过提权你的账号变成了flagXX,就表示你过关了。
下面会将每一个level的要求以及相关的代码列出来,我自己的解决办法和涉及到得知识点也会列出来,如果解决不了的那么会说明为什么解决不了。
level00
This level requires you to find a Set User ID program that will run as the "flag00" account. You could also find this by carefully looking in top level directories in / for suspicious looking directories.
Alternatively, look at the find man page.
To access this level, log in as level00 with the password of level00.
source code
There is no source code available for this level
首先用用户名level00 和 密码level00登陆nebula的测试系统。
根据题目的意思是查找一个二进制文件,可以用flag00这个账号来运行,并且设置了set-user-id位。你可以通过从根目录下挨个查找文件夹来找到,也可以通过find命令来查找。在这里肯定是通过find命令来查找。如果不懂的可以通过man find来查看find命令的使用方法。
首先我们应该明白什么是set-user-id 位,以及为什么要设置set-user-id位,设置了这个位之后我们能干什么,以及linux下Real UID,Effective UID和Saved UID之间的区别以及作用是什么。下面是从http://en.allexperts.com/q/Unix-Linux-OS-1064/real-effective-user-id.htm上找到的一个关于这三个UID的解说,相信已经相当明了了,如果还不懂,就去翻看APUE。
Each UNIX proces has 3 UIDs associated to it. Superuser privilege is UID=0.
Real UID
--------
This is the UID of the user/process that created THIS process. It can be changed only if the running process has EUID=0.
Effective UID
-------------
This UID is used to evaluate privileges of the process to perform a particular action. EUID can be change either to RUID, or SUID if EUID!=0. If EUID=0, it can be changed to anything.
Saved UID
---------
If the binary image file, that was launched has a Set-UID bit on, SUID will be the UID of the owner of the file. Otherwise, SUID will be the RUID.
What is the idea behind this?
Normal programs, like "ls", "cat", "echo" will be run by a normal user, under that users UID. Special programs that allow user to have controlled access to protected data, can have Set-UID bit to allow the program to be run under privileged UID.
An example of such program is "passwd". If you list it in full, you will see that it has Set-UID bit and the owner is "root". When a normal user, say "ananta", runs "passwd", passwd starts with:
Real-UID = ananta
Effective-UID = ananta
Saved-UID = root
The the program calls a system call "seteuid( 0 )" and since SUID=0, the call will succede and the UIDs will be:
Real-UID = ananta
Effective-UID = root
Saved-UID = root
After that, "passwd" process will be able to access /etc/passwd and change password for user "ananta". Note that user "ananta" cannot write to /etc/passwd on it's own. Note one other thing, setting a Set-UID on a executable file is not enough to make it run
as privileged process. The program itself must make a system call.
下面的信息来自http://www.zzee.com/solutions/linux-permissions.shtml#setuid
set user id, set group id ,sticky id
In addition to the basic permissions discussed above, there are also threebits of information defined for files in Linux:
- SUID or setuid: change user ID on execution. If setuid bit is set, when the file will be executed by a user, the process will have the same rights as the owner of the file being executed.
- SGID or setgid: change group ID on execution. Same as above, but inherits rights of the group of the owner of the file on execution. For directories it also may mean that when a new file is created in the directory it will inherit the group
of the directory (and not of the user who created the file). - Sticky bit. It was used to trigger process to "stick" in memory after it is finished, now this usage is obsolete. Currently its use is system dependant and it is mostly used to suppress deletion of the files that belong to other users in
the folder where you have "write" access to.
| Octal digit | Binary value | Meaning |
|---|---|---|
| 0 | 000 | setuid, setgid, sticky bits are cleared |
| 1 | 001 | sticky bit is set |
| 2 | 010 | setgid bit is set |
| 3 | 011 | setgid and sticky bits are set |
| 4 | 100 | setuid bit is set |
| 5 | 101 | setuid and sticky bits are set |
| 6 | 110 | setuid and setgid bits are set |
| 7 | 111 | setuid, setgid, sticky bits are set |
| SUID | If set, then replaces "x" in the owner permissions to "s", if owner has execute permissions, or to "S" otherwise. Examples: -rws------ both owner execute and SUID are set -r-S------ SUID is set, but owner execute is not set |
| SGID | If set, then replaces "x" in the group permissions to "s", if group has execute permissions, or to "S" otherwise. Examples: -rwxrws--- both group execute and SGID are set -rwxr-S--- SGID is set, but group execute is not set |
| Sticky | If set, then replaces "x" in the others permissions to "t", if others have execute permissions, or to "T" otherwise. Examples: -rwxrwxrwt both others execute and sticky bit are set -rwxrwxr-T sticky bit is set, but others execute is not set |
具有root权限的用户赋予程序setuid特权的两种方法:
sudo chmod 4755 myprog
sudo chmod u+s myprog2
ls -l my*
输出:
-rwsr-xr-x 1root
-rwsr-xr-x 1root
好的,下面就使用find命令来查找这个文件。
在终端下运行 find / -perm -4000 -type f -user flag00 -ls
我们会看到打印出来一个/bin/.../flag00的可执行文件。
运行这个可执行文件,然后再运行getflag命令。
如果屏幕上打印出
you have successfully executed getflag on a target account
那么就说明level00已经顺利过关了。
个人感觉:level00算是最基本最简单了,但是用到的知识点却很多,也可以从中学到不少的东西,一定要彻底弄明白这三个UID以及linux file的权限和permission flag的关系,否则后面的level将寸步难行。