Assignment #3 - Hacking Root
Shared by: ojp13483
Assignment #3 – Hacking Root Problem Description: In this assignment, we are going to use a combination of techniques to actually hack into the root account of a Unix (linux) computer that has some holes in its security. Use the following basic steps on your development server: 1. Create a security hole by adding a line to the fstab file which allows a flash drive to be mounted by a normal user with the suid and exec options enabled. Note that by default, flash drives which can be mounted by a normal user have the suid and exec options disabled. 2. Get a copy of Knoppix or Ubuntu Desktop on CD. Boot from it and go into live mode (do not do an install on any lab computer). Live mode is safe on any public computer (at least for the activities in this assignment). Once the GUI desktop is loaded: a. Open a console and become root. b. Plug in a flash drive that you don’t mind having completely erased. c. As root, use the fdisk program to delete the existing partitions from the flash drive and create a new linux partition instead. VERY IMPORTANT: make sure that you are modifying the partitions on the FLASH DRIVE. It should be sda or sdb – use the “mount” command to make sure you have the correct device. It is possible to destroy the filesystem of the host computer if you are not careful! d. As root, use the mkfs program to create an ext2 or ext3 filesystem on the new linux partition of your flash drive. Once again, make sure you are using the correct /dev file for your flash drive! e. Create a mount point (like /media/usbdisk). Mount your new formatted partition to this mount point. Copy /bin/sh into that directory, and set the suid bit for the new copy. Make sure that you have done all this to the copy on the flash drive, and not the original or a copy somewhere else on the system! f. Unmount the flash drive, shut down the live linux, remove the CD, and restart the host computer. Make sure that it still works properly. 3. Log into your development server’s KVM and start a KVM console. Make sure that you are the only person using the KVM console at that time! From the KVM console, log into your account as an ordinary user. 4. Insert the flash drive into your local host computer and make sure that it has registered a drive letter. Note: Don’t try to open the drive from Windows – it will not recognize the formatting. 5. Open the drive redirection pane on the KVM console and connect your flash drive (read-only is fine). You should see some status messages appear on the console, which should identify the /dev file being used. It should be the same /dev file that you used in step 1. 6. As an ordinary user, mount the flash drive. You should get a status message on the console saying that the drive is mounted read-only. 7. Run the sh program on the flash drive. It should start a shell with a root prompt. Test it by displaying the contents of the /etc/shadow file. 8. Exit from the root shell. You should be back to your usual system prompt, without a root prompt. 9. Unmount the flash drive, then disconnect the drive in the Drive Redirection pane, and then remove the flash drive from the computer. 10. At some later point, when we are done evaluating this assignment, you should remove the security hole of step #1. What to Turn In: Bring your flash drive to class and demonstrate steps 3-9. Due Date: Beginning of class, Tuesday, 3/17/09.