Get documents about "Assignment #3 - Hacking Root
Document Sample
Assignment #3 – Hacking Root
Problem Description: In this assignment, we are going to use a combination of techniques to actually
hack into the root account of a Unix (linux) computer that has some holes in its security. Use the
following basic steps on your development server:
1. Create a security hole by adding a line to the fstab file which allows a flash drive to be mounted
by a normal user with the suid and exec options enabled. Note that by default, flash drives
which can be mounted by a normal user have the suid and exec options disabled.
2. Get a copy of Knoppix or Ubuntu Desktop on CD. Boot from it and go into live mode (do not do
an install on any lab computer). Live mode is safe on any public computer (at least for the
activities in this assignment). Once the GUI desktop is loaded:
a. Open a console and become root.
b. Plug in a flash drive that you don’t mind having completely erased.
c. As root, use the fdisk program to delete the existing partitions from the flash drive and
create a new linux partition instead. VERY IMPORTANT: make sure that you are
modifying the partitions on the FLASH DRIVE. It should be sda or sdb – use the
“mount” command to make sure you have the correct device. It is possible to destroy
the filesystem of the host computer if you are not careful!
d. As root, use the mkfs program to create an ext2 or ext3 filesystem on the new linux
partition of your flash drive. Once again, make sure you are using the correct /dev file
for your flash drive!
e. Create a mount point (like /media/usbdisk). Mount your new formatted partition to this
mount point. Copy /bin/sh into that directory, and set the suid bit for the new copy.
Make sure that you have done all this to the copy on the flash drive, and not the original
or a copy somewhere else on the system!
f. Unmount the flash drive, shut down the live linux, remove the CD, and restart the host
computer. Make sure that it still works properly.
3. Log into your development server’s KVM and start a KVM console. Make sure that you are the
only person using the KVM console at that time! From the KVM console, log into your account as
an ordinary user.
4. Insert the flash drive into your local host computer and make sure that it has registered a drive
letter. Note: Don’t try to open the drive from Windows – it will not recognize the formatting.
5. Open the drive redirection pane on the KVM console and connect your flash drive (read-only is
fine). You should see some status messages appear on the console, which should identify the
/dev file being used. It should be the same /dev file that you used in step 1.
6. As an ordinary user, mount the flash drive. You should get a status message on the console
saying that the drive is mounted read-only.
7. Run the sh program on the flash drive. It should start a shell with a root prompt. Test it by
displaying the contents of the /etc/shadow file.
8. Exit from the root shell. You should be back to your usual system prompt, without a root
prompt.
9. Unmount the flash drive, then disconnect the drive in the Drive Redirection pane, and then
remove the flash drive from the computer.
10. At some later point, when we are done evaluating this assignment, you should remove the
security hole of step #1.
What to Turn In: Bring your flash drive to class and demonstrate steps 3-9.
Due Date: Beginning of class, Tuesday, 3/17/09.
Related docs
