Computer Systems Security
As mentioned on the General Page you will be completing this assignment from within a virtual environment provided to you. For each question include both your answer as well as the process by which you determined this answer. I.e. the exact commands you ran, and the output those commands provided. Also include any code you wrote, or scripts you edited.
history
command. You can use it to refresh your memory on commands you may have entered.script
command, which records input and output to a file automatically. See man script
for more information.
Consult the manual pages for the commands mentioned in the questions to learn more (e.g. man find
to read the manual page for the find command). If you receive errors about permission being denied when using chmod
, chown
, chgrp
, find
or setfacl
you may prefix the command with sudo
to run it as root. E.g. sudo chown aUser aDirectory
You have been granted sudo
rights only for these commands!
If you are not familiar with basic UNIX/Linux commands and operating from the bash shell you may wish to read some of the UNIX tutorial for Beginners. Your textbook also provides high-level details on many of the subjects in this assignment. When all else fails, please contact the TA.
cannot find name for group
message. My apologies.ls
command as well as the stat
command.gidSearch() { ...; }
...
with the commands you require to find the group name for the ID. In your commands you can use the $1
token to represent the GID passed to the function as an argument. I.e. a function defined: gidSearch() { echo $1; }
when run as gidSearch 100
would output 100
comp4108@node00:$ gidSearch 100 users comp4108@node00:$ gidSearch 45 sasl
cat
, grep
, and cut
piped together. Read the man
page for each. There are many possible solutions!
/A1/Haystack
that have the following properties (also include the resulting list):comp4108
root
sshd
777
find
command!
777
in /A1/Haystack
to have permissions 750
instead.find
's -exec
argument and the chmod
command. You may need to prefix your find
command with sudo
to run it with root permissions (since you are changing permissions on directories you don't own)
mkdir
:top |--- middle | |-- bottom | |--- middle_two | |-- bottom_two | |-- end_of_line | |--- middle_three
bottom
and bottom_two
to 664
foo.txt
in middle_three
with execute permission for user and grouptop
to root
using the sudo
and chown
commandtop
to www-data
using sudo
and the chgrp
command.mkdir
's -p
flag.tree top
.
/usr/bin
with the setuid bit set.find
command for part a.
For Part B you will need to use getfacl
, setfacl
, chmod
, usermod
and find
to manipulate the access control lists for a directory structure. Use sudo
as required if you encounter permission denied errors. Consult man pages for commands to complete each question.
In /A1/Gotham
you will find a directory tree as follows:
Gotham | |-- Arkham | |-- GothamPD | '-- WayneManor | |-- Batcave | '-- MasterBedroom
chmod
to add rx
permissions to ALL directories and sub-directories in Gotham
for the other
category.chmod
.
setfacl
to add read and write permissions to Gotham
, Arkham
and GothamPD
for the user jgordon
setfacl
to add read, write, and execute permissions toWayneManor
, Batcave
and MasterBedroom
for the user bwayne
.
setfacl
to remove the ACL entries on Arkham
for the users skyle
and ocobblepot
.
find
's -exec
argument and the getfacl
command.
In this part of the assignment you will learn to exploit a classic time of check versus time of use (ToCToU) vulnerability in order to gain root access on your VM. You should prepare for this part of the assignment by reading the general description of this class of vulnerability from your textbook (Chapter 3, Section 3.4.6).
/A1/Racing/Slow
you will find a vulnerable application called vuln_slow. In order to ease you into exploiting a ToCToU race condition this example vulnerable application has been written to accept two arguments: a delay in seconds and a message to write to a debug file. In order to ease the exploitation process, vuln_slow
checks the permissions on its debug file, sleeps for the provided number of seconds, and then writes to the debug file. A real vulnerable program would not let you determine how long it sleeps between time of check and time of use! This is to allow you to exploit the binary with high success using manually entered commands./A1/Racing/Slow
directory you will also find a file named root_file
that is owned by root and has no write permissions for any other users. Your objective is to exploit vuln_slow
into writing a message you provide into root_file
.strace
command to learn the location of the debug file that vuln_slow
writes the message you provide it.vuln_slow
with a test message and a large delay, 30 to 60 seconds is recommended.vuln_slow
is sleeping, you must delete the log file it checked, and replace it with a symbolic link to root_file
using the ln
command.root_file
. Remember: Timing is everything! Use a larger sleep time and be prepared to enter the correct commands quickly, and without error.
root_file
. Include an explanation of why the attack works (hint: this should include a reference to setuid).
/A1/Racing/Fast
you will find the same vulnerable program (this time named vuln_fast
) modified to no longer accept a sleep time argument. This program uses the same debug file location you found in Part A, Step 1 (you can verify this again using strace
if you want).vuln.sh
and exploit.sh
.vuln.sh
, removes the debug file (to clean up from any old exploit attempts) and runs the vulnerable program in a tight loop with a high nice value (to increase your chances of exploitation, see man nice
to understand why).exploit.sh
, removes the debug file, and generates a symbolic link to a specified target in its place. This also happens in a tight loop such that exploit.sh
and vuln.sh
when run at the same time are competing to access the debug file (or symlink).root
user by exploiting the vuln_fast
program to add your username to the root user's .rhosts
file to allow passwordless login using the rsh
command. In order to do this you will need to:exploit.sh
script (using nano
, or another text editor) to provide it the location of the debug fileexploit.sh
script to give it the payload string you want written to the target file (see Hint!).vuln.sh
script to provide it the location of the debug filevuln.sh
script to give it the target file for your attack (See Hint!).vuln.sh
script in one terminalexploit.sh
script in another terminalCtrl+C
in the respective terminalsrsh -l root localhost whoami
. If it was successful you should not be asked for a password and will receive the reply root
to the whoami
command. Remember, if it did not work you may have to repeat steps 5 onward due to the probabilistic nature of race conditions.rsh
and rlogin
commands. The rsh
command allows you to run a shell command as a specified user on a remote (or local) machine. It first checks the specified user's .rhosts
file for a list of hosts and users that can execute commands without a password!.rhosts
file...