diff --git a/Tutorials/Permissions.md b/Tutorials/Permissions.md index 58eff0a..f7e1092 100644 --- a/Tutorials/Permissions.md +++ b/Tutorials/Permissions.md @@ -52,13 +52,13 @@ This includes information including the *access permissions* and Each line of output will take the following form: -~~~ +~~~.term -rw-r--r-- 1 dang dang 0 Nov 26 13:43 bar.txt ~~~ Which can be broken down into -~~~ +~~~.term [Permissions] [Size] [Owner] [Group] [Date] [Filename] ~~~ @@ -66,7 +66,7 @@ Which can be broken down into Consider the following -~~~ +~~~.term dang@dang-laptop /tmp/demo % ls -l total 0 -rw-r--r-- 1 dang dang 0 Nov 26 13:43 bar.txt @@ -96,6 +96,7 @@ We have the files So permissions give us a nice way to restrict access to files on the system, and segreate who can access what. However... +\clearpage{} ## The need to run commands as an Elevated user. ![Obligatory XKCD Sudo Comic](https://imgs.xkcd.com/comics/sandwich.png) @@ -176,7 +177,7 @@ change their own password. Lets check the permissions for ```/bin/passwd``` -~~~ +~~~.term $ ls -l /bin/passwd -rwsr-xr-x 1 root root 63624 Jul 31 20:12 /bin/passwd ~~~ @@ -195,6 +196,7 @@ control of a system. It is always worthwhile to see what SUID files are available on the system, using a tool like **find**, to look for anything unusual that could be an entrypoint. +\clearpage{} ## The $PATH When we want to run a system level command (for example ```ls```) the @@ -267,7 +269,7 @@ Lets say we are looking for ```ncat``` (which lives in /usr/bin) we get: > NOTE: As a point of interest, this is why we usually have to run > ./ if we are executing a file in the current working -> directory. +> directory. > > If we specify a full path (either absolute or relative) to the > file. The OS will look in that location (and only that @@ -285,19 +287,20 @@ Lets say we are looking for ```ncat``` (which lives in /usr/bin) we get: As a system variable, we can modify the path in user space. There are two ways of doing this: The first approach is to use the EXPORT command to set the path for that terminal session. -~~~ + +~~~.term EXPORT PATH= ~~~ So to set the $PATH to be ```/tmp``` we could use ```EXPORT -PATH=/tmp```. +PATH=/tmp``` We hit our first Gotcha here. This command will set the $PATH to be only ```tmp```, which means all the usual places are removed and the OS cannot find anything. A much better approach is to *prepend* the desired directory to the current path using -~~~ +~~~.term EXPORT PATH=:$PATH #For example prepend /tmp @@ -313,8 +316,7 @@ calling the PATH string before our command. PATH=/tmp:$PATH ~~~ - - +\clearpage{} # Putting it all Together. We have introduced a load of concepts there. Lets put them together @@ -619,6 +621,7 @@ Our proof of concept for the Exploit was 1. Run our program using a modified path to call our version of the command 1. Profit +\clearpage{} # Trolled by Permissions: An Alternate approach to getting the flag To demonstrate how easy it is to make the mistakes that allow people