Contrary to previous exercises, level05 is purely about weak permissions.
What you’ll need to know…
- Make an ssh connection
- Use tar command
Level05
If you list the files under /home/flag05 folder, you’ll notice two distinct hidden folders, backup and ssh. In order to see hidden folders, make sure you use the option -a of the ls command. .ssh folder holds information related to the connection, including keys. However, you don’t have permissions to this folder, because it’s owned by flag05 user.
On the other hand, you have permissions to the backup folder and if you list the files in there, you can see a compressed file. Now, you can’t extract the files in this tar to the same folder.
One thing we can try is to extract the files to another folder, one where we can write. Let’s use /home/level05 folder and extract the files using tar command to that location.
If you now navigate to your level05 home directory, you will see three files inside the .ssh folder, and most importantly, all of them are owned by level05 user. These three files are the public RSA key, the private RSA key and the authorized_keys.
SSH is a protocol similar to Telnet, because it allows you to connect to a server, but in a more secure way when compared to Telnet.
Maybe I can login in the flag05 account using the private key… For this I need to use the ssh command with options -l, to specify the name of the user and -i, to specify the file where the private key is located. Additionally, I need to provide the destination of the connection, which will be the current machine, localhost.
Once you’re logged in, you can verify your identity (with whoami command) and proceed to collect the flag throughout the getflag command
Challenges completed: 6/20
Mitigation
Always double check permissions of your folders and files.
If .backup folder is a backup of ssh keys, at least, it should have the same permissions as .ssh folder. .backup folder and the backup file should have tight permission because of the sensitivity of its content.