Linux Exploitation
NOTE: the applications being used for this session are available on github. They include details on the specific vulnerabilities. It will be more beneficial for you to try to exploit the vulnerabilities on your own.
You will be evaluating the security of a number of linux applications and interrogating the implications of the vulnerabilities.
App 1: Password Manager
Can be accessed via the pass command or by running python3 /usr/local/password_manager/password_manager.py.
What programming languages are used in the password manager?
Where are the passwords stored on disk?
What can you do to the file that stores the passwords?
The password manager includes a file cron_backup_super_secure.sh that is in the path. What is it’s location on disk?
Why might a script executed by cron as root that is world writable be a security risk?
If the schedule expression for the cron jb was set to 0 22 * * 1-5, when would it be run next?
What environment variable could be set that could result in exploitation of the application itself?
What could the impact of setting the environment variable be?
App 2: Notes
The notes app can be accessed via the notes command. It is also in the path with the command vulnerable_notes.sh.
What language is the notes app written in?
What is the problem with how the notes are stored?
What other two vulnerabilities are there in the app itself?
App 3: Bank
The bank app can be accessed via the bank command, or by running python3 /usr/local/banking_simulator/client.py.
The source code for the server can be accessed at bank_server.py in the same directory.
What are the permisions of the account data file in octal?
What other two problems are there with the bank app?
App 4: Log Management
The log management app can be accessed via the logs command, or by running
SuperSecureLogManager.
What user does the log management app always run as?
What charecter made you think that?
What vulnerability does this present?
If you have done this, let us know and we can give you an additional challenge.