So we are now at the second level of smashthestack.org Blowfish challenges. This second challenge learns us that we need to find a backdoor on the system. This automatically made me think of SUID bits, so I decided I would search for the holy grail (well the second flag actually) by finding all binaries using SUID bits.
What are SUID bits you may ask? Well I learned about it on the codecoffee website, so I quote:
SUID stands for Set User ID. This means that if the SUID bit is set for any application then your user ID would be set as that of the owner of application/file rather than the current user, while running that application. That means in case I have an application whose owner is ' root ' and it has its SUID bit set, then when I run this application as a normal user, that application would still run as root. Since the SUID bit tells Linux that the the User ID root is set for this application and whenever this application executes it must execute as if root was executing it (since root owns this file).This would be the ideal backdoor, so we need to find an application that has the suid bit set. To do this we use the "find" command. We will filter on suid bit. To filter on the SUID bit lets refresh on the UNIX permission bits:
find / -perm -4000
This gives you:
find: `/root': Permission denied find: `/var/cache/ldconfig': Permission denied find: `/var/spool/cron/crontabs': Permission denied /var/local/. level4_backdoor /var/opt/.level3_backdoor find: `/home': Permission denied find: `/proc': Permission denied find: `/etc': Permission denied /levels/level13 /levels/level11 ...
Note the /var/opt/.level3_backdoor. Execute it and you will get a shell. Now execute:
You now have the pass for level3: