Smashthestack.org: Blowfish Level 2

05 Feb 2013

So we are now at the second level of smashthestack.org Blowfish challenges. This second challenge learns us that we need to find a backdoor on the system. This automatically made me think of SUID bits, so I decided I would search for the holy grail (well the second flag actually) by finding all binaries using SUID bits.

SUID Bits

What are SUID bits you may ask? Well I learned about it on the codecoffee website, so I quote:

SUID stands for Set User ID. This means that if the SUID bit is set for any application then your user ID would be set as that of the owner of application/file rather than the current user, while running that application. That means in case I have an application whose owner is ' root ' and it has its SUID bit set, then when I run this application as a normal user, that application would still run as root. Since the SUID bit tells Linux that the the User ID root is set for this application and whenever this application executes it must execute as if root was executing it (since root owns this file).
This would be the ideal backdoor, so we need to find an application that has the suid bit set. To do this we use the "find" command. We will filter on suid bit. To filter on the SUID bit lets refresh on the UNIX permission bits:
  • The first bit is the special bit (setuid,setgid,Sticky bit)
  • The second bit is the User (RWX)
  • The third bit is the Group (RWX)
  • The fourth bit is the Other (RWX)
So find all binaries which have the suid bit set, (setuid) we just need to find binaries with permissions 4000 starting from the root folder:

find / -perm -4000

This gives you:

find: `/root': Permission denied
find: `/var/cache/ldconfig': Permission denied
find: `/var/spool/cron/crontabs': Permission denied
/var/local/.      level4_backdoor
/var/opt/.level3_backdoor
find: `/home': Permission denied
find: `/proc': Permission denied
find: `/etc': Permission denied
/levels/level13
/levels/level11
...

Note the /var/opt/.level3_backdoor. Execute it and you will get a shell. Now execute:

cat /pass/level3

You now have the pass for level3:

bl0wfi1sh_Rul3Z!