PwnCollege - note access control

Posted on In Views: Disqus:

DAC (Discretionary Access Control)

level 6

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
hacker@access-control~level6:~$ /challenge/run
===== Welcome to Access Control! =====
In this series of challenges, you will be working with various access control systems.
Break the system to get the flag.


In this challenge you will work with different UNIX permissions on the flag.

The flag file is owned by root and a new group.

Hint: Search for how to join a group with a password.


Before:
-r-------- 1 root root 58 Mar 15 07:43 /flag
After:
----r----- 1 root group_rlspdzyr 58 Mar 15 07:43 /flag
The password for group_rlspdzyr is: fxtnvxdc
1
2
3
newgrp group_rlspdzyr
fxtnvxdc
cat /flag

level 7

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
===== Welcome to Access Control! =====
In this series of challenges, you will be working with various access control systems.
Break the system to get the flag.


In this challenge you will work understand how UNIX permissions works with multiple users.

You'll also be given access to various user accounts, use su to switch between them.


Before:
-r-------- 1 root root 58 Mar 15 07:54 /flag
Created user user_yhrsapiv with password meambaqr
After:
-------r-- 1 hacker root 58 Mar 15 07:54 /flag
1
2
3
4
5
hacker@access-control~level7:~$ su user_yhrsapiv
Password:
user_yhrsapiv@access-control~level7:/home/hacker$ cat /flag
pwn.college{********************************************}
user_yhrsapiv@access-control~level7:/home/hacker$

level 10

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
===== Welcome to Access Control! =====
In this series of challenges, you will be working with various access control systems.
Break the system to get the flag.


In this challenge you will work understand how UNIX permissions works with multiple users.

You'll also be given access to various user accounts, use su to switch between them.

Hint: How can you tell which user is in what group?


Before:
-r-------- 1 root root 58 Mar 15 07:58 /flag
Created user user_chalwvis with password dbxhfxlk
Created user user_excrdkez with password vyivxjyz
Created user user_clpkmenq with password aeckeicf
Created user user_tlgspwhg with password jpatveih
Created user user_jnrxhzvw with password yfvuqmwc
Created user user_lvbeomaw with password posedqty
Created user user_qgansdbg with password thpdyrjd
Created user user_wtfbycte with password kulvnsvi
Created user user_gcwagbel with password aoekmoum
Created user user_yfuxiagx with password bpwapccq
After:
----r----- 1 root group_cmn 58 Mar 15 07:58 /flag
1
2
3
4
5
6
hacker@access-control~level10:~$ grep group_cmn /etc/group
group_cmn:x:1001:user_yfuxiagx
hacker@access-control~level10:~$ su user_yfuxiagx
Password:
user_yfuxiagx@access-control~level10:/home/hacker$ cat /flag
pwn.college{********************************************}

level 11

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
===== Welcome to Access Control! =====
In this series of challenges, you will be working with various access control systems.
Break the system to get the flag.


In this challenge you will work understand how UNIX permissions for directories work with multiple users.

You'll be given access to various user accounts, use su to switch between them.


Created user user_avlnkjwd with password iusiskgn
Created user user_dgfdmvea with password eemamusr
A copy of the flag has been placed somewhere in /tmp:
total 36
drwxrwxrwt 1 root   root          4096 Mar 15 08:03 .
drwxr-xr-x 1 root   root          4096 Mar 15 08:02 ..
-rw-r--r-- 1 root   root            55 Feb 23 16:38 .crates.toml
-rw-r--r-- 1 root   root           423 Feb 23 16:38 .crates2.json
drwxr-xr-x 2 hacker hacker        4096 Mar 15 08:02 .dojo
drwxr-xr-x 2 root   root          4096 Feb 23 16:38 bin
drwxr-xr-x 1 root   root          4096 Feb 23 16:27 hsperfdata_root
drwx------ 2 mysql  mysql         4096 Feb 23 16:28 tmp.hYVUanCOAv
dr-xr-x--x 2 root   user_avlnkjwd 4096 Mar 15 08:03 tmpt_vsl80s

hacker@access-control~level11:~$ ls -laR /tmp
/tmp:
total 44
drwxrwxrwt 1 root   root          4096 Mar 15 08:22 .
drwxr-xr-x 1 root   root          4096 Mar 15 08:02 ..
-rw-r--r-- 1 root   root            55 Feb 23 16:38 .crates.toml
-rw-r--r-- 1 root   root           423 Feb 23 16:38 .crates2.json
drwxr-xr-x 2 hacker hacker        4096 Mar 15 08:02 .dojo
drwxr-xr-x 2 root   root          4096 Feb 23 16:38 bin
drwxr-xr-x 1 root   root          4096 Feb 23 16:27 hsperfdata_root
drwx------ 2 mysql  mysql         4096 Feb 23 16:28 tmp.hYVUanCOAv
dr-xr-x--x 2 root   user_nucfmutn 4096 Mar 15 08:18 tmplepswuc7
dr-xr-x--x 2 root   user_avlnkjwd 4096 Mar 15 08:03 tmpt_vsl80s
dr-xr-x--x 2 root   user_hmjwefql 4096 Mar 15 08:22 tmpy7719id6

/tmp/.dojo:
total 8
drwxr-xr-x 2 hacker hacker 4096 Mar 15 08:02 .
drwxrwxrwt 1 root   root   4096 Mar 15 08:22 ..

/tmp/bin:
total 8
drwxr-xr-x 2 root root 4096 Feb 23 16:38 .
drwxrwxrwt 1 root root 4096 Mar 15 08:22 ..

/tmp/hsperfdata_root:
total 40
drwxr-xr-x 1 root root  4096 Feb 23 16:27 .
drwxrwxrwt 1 root root  4096 Mar 15 08:22 ..
-rw------- 1 root root 32768 Feb 23 16:27 5803
ls: cannot open directory '/tmp/tmp.hYVUanCOAv': Permission denied
ls: cannot open directory '/tmp/tmplepswuc7': Permission denied
ls: cannot open directory '/tmp/tmpt_vsl80s': Permission denied
ls: cannot open directory '/tmp/tmpy7719id6': Permission denied
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
su user_avlnkjwd
iusiskgn

user_avlnkjwd@access-control~level11:/home/hacker$ ls -la /tmp/tmpt_vsl80s
total 12
dr-xr-x--x 2 root user_avlnkjwd 4096 Mar 15 08:03 .
drwxrwxrwt 1 root root          4096 Mar 15 08:23 ..
-r--r----- 1 root user_dgfdmvea   58 Mar 15 08:03 tmprd5w9j2_


su user_dgfdmvea
eemamusr

user_dgfdmvea@access-control~level11:/home/hacker$ cat /tmp/tmpt_vsl80s/tmprd5w9j2_
pwn.college{********************************************}

level 12

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
hacker@access-control~level12:~$ /challenge/run
===== Welcome to Access Control! =====
In this series of challenges, you will be working with various access control systems.
Break the system to get the flag.


In this challenge you will work understand how UNIX permissions for directories work with multiple users.

You'll be given access to various user accounts, use su to switch between them.


Created user user_gjqnizmh with password bwdjjrlm
Created user user_nthuzrvf with password xegnbyhe
Created user user_epjhheho with password zyjwexvo
A copy of the flag has been placed somewhere in /tmp:
total 36
drwxrwxrwt 1 root   root          4096 Mar 15 08:27 .
drwxr-xr-x 1 root   root          4096 Mar 15 08:27 ..
-rw-r--r-- 1 root   root            55 Feb 23 16:38 .crates.toml
-rw-r--r-- 1 root   root           423 Feb 23 16:38 .crates2.json
drwxr-xr-x 2 hacker hacker        4096 Mar 15 08:27 .dojo
drwxr-xr-x 2 root   root          4096 Feb 23 16:38 bin
drwxr-xr-x 1 root   root          4096 Feb 23 16:27 hsperfdata_root
drwx------ 2 mysql  mysql         4096 Feb 23 16:28 tmp.hYVUanCOAv
dr-xr-x--x 3 root   user_gjqnizmh 4096 Mar 15 08:27 tmps4tklv3g
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
su user_gjqnizmh
bwdjjrlm

user_gjqnizmh@access-control~level12:/home/hacker$ ls -laR /tmp/tmps4tklv3g/
/tmp/tmps4tklv3g/:
total 12
dr-xr-x--x 3 root user_gjqnizmh 4096 Mar 15 08:27 .
drwxrwxrwt 1 root root          4096 Mar 15 08:27 ..
dr-xr-x--x 2 root user_epjhheho 4096 Mar 15 08:27 tmpigihl758
ls: cannot open directory '/tmp/tmps4tklv3g/tmpigihl758': Permission denied

su user_epjhheho
zyjwexvo

ls -laR /tmp/tmps4tklv3g/tmpigihl758

user_epjhheho@access-control~level12:/home/hacker$ ls -laR /tmp/tmps4tklv3g/tmpigihl758
/tmp/tmps4tklv3g/tmpigihl758:
total 12
dr-xr-x--x 2 root user_epjhheho 4096 Mar 15 08:27 .
dr-xr-x--x 3 root user_gjqnizmh 4096 Mar 15 08:27 ..
-r--r----- 1 root user_nthuzrvf   58 Mar 15 08:27 tmpmca6qlsw

su user_nthuzrvf
xegnbyhe

ls -laR /tmp/tmps4tklv3g/tmpigihl758/tmpmca6qlsw

user_nthuzrvf@access-control~level12:/home/hacker$ ls -laR /tmp/tmps4tklv3g/tmpigihl758/tmpmca6qlsw
-r--r----- 1 root user_nthuzrvf 58 Mar 15 08:27 /tmp/tmps4tklv3g/tmpigihl758/tmpmca6qlsw

user_nthuzrvf@access-control~level12:/home/hacker$ cat /tmp/tmps4tklv3g/tmpigihl758/tmpmca6qlsw
pwn.college{********************************************}

Alternative (one-liner approach):

1
2
3
4
5
6
7
8
9
10
11
# Step 1: Peek at the first-level directory
su -c "ls -la /tmp/tmps4tklv3g/" user_gjqnizmh
# (enter first user's password)

# Step 2: Got the directory name, check the second level
su -c "ls -la /tmp/tmps4tklv3g/tmpigihl758/" user_epjhheho
# (enter second user's password)

# Step 3: Got the final filename, read it directly
su -c "cat /tmp/tmps4tklv3g/tmpigihl758/tmpmca6qlsw" user_nthuzrvf
# (enter third user's password, flag is printed)

level 13

MAC (Mandatory Access Control)

BLP (Bell-LaPadula Model)

TS > S > C > UC

Top Secret > Secret > Confidential > Unclassified

Simple Security Property (No Read Up)

Star Property (*-Property) (No Write Down)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
===== Welcome to Access Control! =====
In this series of challenges, you will be working with various access control systems.
Break the system to get the flag.


In this challenge you'll be answering questions about the standard Bell–LaPadula model of Mandatory Access Control.

Answer the question about the model to get the flag.


In this challenge, your goal is to answer 1 questions correctly in 120 seconds about the following Mandatory Access Control (MAC) system:
4 Levels (first is highest aka more sensitive):
TS
S
C
UC
Q 1. Can a Subject with level S write an Object with level S?
yes

pwn.college{********************************************}

Level 14 follows the same approach.

pwn.college{********************************************}

level 15

Category-based

Compartmentalization / “Need-to-Know” principle

NUC - Nuclear ACE - Atomic NATO - North Atlantic Treaty Organization UFO - Unidentified Flying Object

With Categories introduced, a Subject must satisfy both conditions simultaneously to read an Object:

  1. Level check: Subject’s clearance level must be >= Object’s level (No Read Up).
  2. Category coverage: Subject’s category set must be a superset of Object’s category set. In other words, every label on the Object must also be held by the Subject.

Can a Subject with level TS and categories {NATO, UFO} read an Object with level TS and categories {NUC, ACE, NATO, UFO}?

Step 1: Check Level

  • Subject level: TS (Top Secret)
  • Object level: TS (Top Secret)
  • Result: TS ≥ TS, equal rank – level check passes.

Step 2: Check Categories

  • Subject holds: {NATO, UFO}
  • Object requires: {NUC, ACE, NATO, UFO}
  • The Subject is missing {NUC} and {ACE}. Under MAC, missing even a single required category results in Permission denied.
  • Result: {NATO, UFO} ⊉ {NUC, ACE, NATO, UFO}, category check fails.

For Write operations, Bell-LaPadula’s core is the *-Property (Star Property): No Write Down.

With Categories, the rule is inverted: Subject’s categories must be a subset of Object’s categories ().

  1. Subject: Clearance C, categories {NUC} (nuclear secrets). Your mind holds classified nuclear data.
  2. Object: Clearance C, categories {} (empty set). Anyone with C clearance can read this file – no special category authorization needed.
  3. The problem: If you’re allowed to write, you’d dump {NUC}-tagged classified data into a {} file that anyone can read. This causes a downward data leak – other C-level users without {NUC} clearance could read the contaminated file and indirectly access nuclear secrets.

To prevent accidental leaks from a high-compartment zone to a public area: Since Subject’s set {NUC} is not a subset of Object’s set {} ({NUC} ⊈ {}), the write is blocked.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
===== Welcome to Access Control! =====
In this series of challenges, you will be working with various access control systems.
Break the system to get the flag.


In this challenge you'll be answering questions about the category-based Bell–LaPadula model of Mandatory Access Control.

Answer the question about the model to get the flag.


In this challenge, your goal is to answer 1 questions correctly in 120 seconds about the following Mandatory Access Control (MAC) system:
4 Levels (first is highest aka more sensitive):
TS
S
C
UC
4 Categories:
NUC
ACE
NATO
UFO
Q 1. Can a Subject with level TS and categories {NATO, UFO} read an Object with level TS and categories {NUC, ACE, NATO, UFO}?

Level 16 follows the same approach.

pwn.college{********************************************}

level 17

.config -> 17

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
def level17():
    """
    In this challenge you'll be answering many questions about the category-based Bell–LaPadula model of Mandatory Access Control.

    Hint: Use pwntools to interact with this process and answer the questions.
    """
    mac_challenge(20, 1, use_flag_seed=False)

def mac_challenge(num_questions, timeout_sec, num_levels=None, num_categories=None,  custom_levels=None, custom_categories=None, use_flag_seed=True):
    if use_flag_seed:
        flag_seed()

    categories = custom_categories if custom_categories else CATEGORIES
    levels = custom_levels if custom_levels else LEVELS

    if num_levels is None:
        num_levels = len(levels)

    if num_categories is None:
        num_categories = len(categories)

    assert(num_levels <= len(levels))
    assert(num_categories <= len(categories))
    assert(num_questions > 0)

    random.shuffle(categories)
    categories = categories[:num_categories]

    random.shuffle(levels)
    levels = levels[:num_levels]
    levels.sort(reverse=True, key=lambda x: x.level)

    max_category_set = 1 << len(categories)

    print(f"In this challenge, your goal is to answer {num_questions} questions correctly in {timeout_sec} seconds about the following Mandatory Access Control (MAC) system:")

    print(f"{len(levels)} Levels (first is highest aka more sensitive):")

    for level in levels:
        print(f"{level.name}")

    if num_categories != 0:
        print(f"{len(categories)} Categories:")
        for category in categories:
            print(f"{category.name}")

    signal.alarm(timeout_sec)

    for i in range(num_questions):
        subject_index = random.randint(0, num_levels - 1)
        subject_set = random.randint(0, max_category_set - 1)
        subject_set_str = category_set_to_str(subject_set, categories)

        object_index = random.randint(0, num_levels - 1)
        object_set = random.randint(0, max_category_set - 1)
        object_set_str = category_set_to_str(object_set, categories)

        is_read = random.choice([True, False])
        action = "read" if is_read else "write"

        if i % 4 == 0:
            object_index = subject_index

        subject = levels[subject_index]
        object = levels[object_index]

        if num_categories:
            print(f"Q {i+1}. Can a Subject with level {subject.name} and categories {subject_set_str} {action} an Object with level {object.name} and categories {object_set_str}?")
        else:
            print(f"Q {i+1}. Can a Subject with level {subject.name} {action} an Object with level {object.name}?")

        answer = input().strip().lower()
        if answer not in ["yes", "no"]:
            print(f"Error, did not understand your response {answer}, must be yes or no. Goodbye.")
            exit(-1)

        answer_allowed = (answer == "yes")

        is_allowed_by_level = subject.level >= object.level if is_read else object.level >= subject.level
        is_allowed = False

        if is_allowed_by_level:
            if is_read:
                is_allowed = is_subset_equal(object_set, subject_set)
            else:
                is_allowed = is_subset_equal(subject_set, object_set)

        if is_allowed == answer_allowed:
            print("Correct!")
        else:
            print("Incorrect!")
            exit(-1)

    success()
  1. Parsing Levels: The source uses levels.sort(reverse=True) then prints in order, so the first printed level has the highest clearance. We assign decreasing weights in read order.
  2. Parsing Categories: Content inside {} is parsed directly into a Python set.
  3. Decision logic:
  • If read: Subject level Object level, and Subject categories Object categories (issuperset).
  • If write: Subject level Object level, and Subject categories Object categories (issubset).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
import re

from pwn import *
from pwn import context, process

context.log_level = "error"


def solve():
    p = process("/challenge/run")

    p.recvuntil(b"Levels (first is highest aka more sensitive):\n")

    # Dynamically parse level weights (first read = highest)
    level_map = {}
    current_weight = 100

    while True:
        line = p.recvline().decode().strip()
        if "Categories:" in line or line.startswith("Q 1"):
            break
        if line:
            level_map[line] = current_weight
            current_weight -= 1

    for i in range(20):
        p.recvuntil(b"Q ")
        question = p.recvline().decode().strip()

        # Match: level [S] and categories [{...}] [read/write] an Object with level [C] and categories [{...}]?
        match = re.search(
            r"level (.*?) and categories \{(.*?)\} (read|write) an Object with level (.*?) and categories \{(.*?)\}\?",
            question,
        )

        sub_lvl = match.group(1)
        sub_cats_str = match.group(2)
        action = match.group(3)
        obj_lvl = match.group(4)
        obj_cats_str = match.group(5)

        # Convert to Python set
        sub_cats = set(filter(None, [x.strip() for x in sub_cats_str.split(",")]))
        obj_cats = set(filter(None, [x.strip() for x in obj_cats_str.split(",")]))

        sub_weight = level_map[sub_lvl]
        obj_weight = level_map[obj_lvl]

        is_allowed = False

        if action == "read":
            if sub_weight >= obj_weight and sub_cats.issuperset(obj_cats):
                is_allowed = True
        elif action == "write":
            if sub_weight <= obj_weight and sub_cats.issubset(obj_cats):
                is_allowed = True

        if is_allowed:
            p.sendline(b"yes")
        else:
            p.sendline(b"no")

        p.recvline()

    print("[+] MAC Engine bypassed successfully.")
    p.interactive()


if __name__ == "__main__":
    solve()