8 Commits

Author SHA1 Message Date
Leo
0b2b9741d3 feat: solve ex 1
All checks were successful
zip and release / build-and-release (push) Successful in 6s
2026-06-05 10:42:30 +02:00
Unbreathable
4ff7e162ac feat: task 2 for sheet6 2026-06-04 18:58:56 +02:00
Leo
58553b688a feat: a3
All checks were successful
zip and release / build-and-release (push) Successful in 3s
2026-05-22 11:52:02 +02:00
Leo
b118e163b2 feat: a2 2026-05-22 11:46:10 +02:00
Viktoria Konschuh
266df5d32c Edit explanation.txt 2026-05-21 19:18:15 +00:00
Viktoria Konschuh
a2d5d23307 Edit supervisor.sh 2026-05-21 19:14:24 +00:00
Viktoria Konschuh
e40906a933 Edit archive.sh 2026-05-21 19:12:14 +00:00
Viktoria Konschuh
f29fbed900 Edit create_user.sh 2026-05-21 19:10:49 +00:00
20 changed files with 92 additions and 0 deletions

3
.gitignore vendored
View File

@@ -2,3 +2,6 @@
sheet01/a2/Hash.java
*.class
passwd
sheet04/AuthWithTOTP.java
sheet04/key-exchange.pcap
sheet06/a2/assign*

View File

@@ -0,0 +1,3 @@
#!/bin/bash
# $1 = directory path
chmod -R a-w "$1"

View File

@@ -0,0 +1,3 @@
#!/bin/bash
# $1 = username, $2 = comma-separated groups
useradd -G "$2" "$1" || usermod -aG "$2" "$1"

View File

@@ -0,0 +1,6 @@
UNIX permissions only support one Owner, one Group, and Other (UGO).
The 'Group' slot is already taken by the specific lecture group to give students write access.
If we use 'Other' to give the supervisor read access, every user on the system could read it, which would violate the requirements.
If we add the supervisor to the lecture group, they get write access, which also violates the requirements.
Because a file cannot have multiple groups or user-specific overrides under standard UNIX permissions, this cannot be solved.

View File

@@ -0,0 +1,3 @@
#!/bin/bash
# $1 = supervisor username
echo "not possible with the standard UNIX permissions. See explanation.txt."

3
sheet05/a2/archive.sh Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
TARGET_DIR=$1
chmod -R a-w "$TARGET_DIR"

View File

@@ -0,0 +1,4 @@
#!/bin/bash
USERNAME=$1
GROUPS=$2
useradd -G "$GROUPS" "$USERNAME" || usermod -aG "$GROUPS" "$USERNAME"

View File

@@ -0,0 +1,3 @@
The supervisor's read access would fail with UNIX permissions, since they are limited to one owner, one group, and "others".
Access Control Lists (ACLs) resolve this problem by allowing permissions beyond the standard three.
Using `setfacl`, we can append specific read and execute rights (r-x) for individual users (the supervisors) directly to the files and directories.

6
sheet05/a2/supervisor.sh Normal file
View File

@@ -0,0 +1,6 @@
#!/bin/bash
SUPERVISOR=$1
# Grant read and execute permissions to the supervisor user recursively
setfacl -R -m u:"$SUPERVISOR":r-x .
# Set the default ACL
setfacl -R -d -m u:"$SUPERVISOR":r-x .

4
sheet05/a3/a.txt Normal file
View File

@@ -0,0 +1,4 @@
Passwords are stored in the /etc/shadow file, which is restricted to the root user.
A standard user cannot write to it directly. However, the passwd executable is owned by root and has the SUID permission set.
When a standard user runs passwd, the SUID bit tells the system to execute the program with the privileges of root,
giving the program the temporary permissions to update /etc/shadow

5
sheet05/a3/b.txt Normal file
View File

@@ -0,0 +1,5 @@
The script runs with root privileges because the setuid bit is set.
Since it just asks for a username and saves the new hash to /etc/shadow,
and there is no validation checking if the user running the program is actually changing their own password,
someone could simply run the program, type root as the username, and set a new password for the root user.
The script would then overwrite the actual root password in /etc/shadow.

16
sheet06/a1/a.txt Normal file
View File

@@ -0,0 +1,16 @@
10:16:36 leo@group-20 ~ → sudo chmod u-s /bin/ping
10:18:59 leo@group-20 ~ → ping google.com
ping: socktype: SOCK_RAW
ping: socket: Operation not permitted
ping: => missing cap_net_raw+p capability or setuid?
10:19:03 leo@group-20 ~ → sudo setcap cap_net_raw+ep /bin/ping
10:19:48 leo@group-20 ~ → ping google.com
PING google.com (142.251.20.138) 56(84) bytes of data.
64 bytes from bx-in-f138.1e100.net (142.251.20.138): icmp_seq=1 ttl=112 time=10.5 ms
64 bytes from bx-in-f138.1e100.net (142.251.20.138): icmp_seq=2 ttl=112 time=9.83 ms
The capability is required because ping sends ICMP packets to function.
It has to create raw network sockets and for that the kernel needs the cap_net_raw capability.
The permitted set grants the executable the right to posess this capability.
The effective set is needed because ping is not programmed to automatically set the effective set on runtime which is needed for the program to open the raw socket immediately.

21
sheet06/a1/b.txt Normal file
View File

@@ -0,0 +1,21 @@
10:31:48 leo@group-20 ~ → ls -l /bin/netcat
lrwxrwxrwx 1 root root 24 Apr 8 2024 /bin/netcat -> /etc/alternatives/netcat
10:31:57 leo@group-20 ~ → ls -l /etc/alternatives/netcat
lrwxrwxrwx 1 root root 15 Apr 8 2024 /etc/alternatives/netcat -> /bin/nc.openbsd
10:32:11 leo@group-20 ~ → ls -l /bin/nc.openbsd
-rwxr-xr-x 1 root root 39560 Apr 8 2024 /bin/nc.openbsd
10:31:38 leo@group-20 ~ → sudo setcap cap_net_bind_service+ep /bin/nc.openbsd
10:32:46 leo@group-20 ~ → netcat -l 81
GET / HTTP/1.1
Host: 10.42.23.30:81
User-Agent: curl/8.20.0
Accept: */*
leo@leo-laptop:~$ curl 10.42.23.30:81
^C
On linux ports 0-1023 are privileged ports to which only the root user can bind by default.
By setting the cap_net_bind_service capability the executable can also bind to those lower ports.
/bin/netcat is only a symlink leading to /etc/alternatives/netcat which is a symlink leading to /bin/nc.openbsd.
The capabilities are stored in the file's inode. Because symlinks do not support extended attributes in this way the capability has to be stored on the target executable.

5
sheet06/a2/b.txt Normal file
View File

@@ -0,0 +1,5 @@
Java has bounds checking for arraycopy and other functions built-in, therefore when trying to do the same thing as before we get:
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: arraycopy: last source index 144 out of bounds for char[128]
at java.base/java.lang.System.arraycopy(Native Method)
at assignment2b.main(assignment2b.java:14)

1
sheet06/a2/stack-a.sh Executable file
View File

@@ -0,0 +1 @@
echo "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" | "./assignment2a"

1
sheet06/a2/stack-a.txt Normal file
View File

@@ -0,0 +1 @@
The gets function reads into a buffer with 128 bytes from stdin. So to create a buffer overflow, I just need to put in 128 characters (all of the A) and then what we want to be written where the 32 bit integer is at the end (since it's behind the buffer inside of the struct).

1
sheet06/a2/stack-c.sh Executable file
View File

@@ -0,0 +1 @@
./assignment2c AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

1
sheet06/a2/stack-c.txt Normal file
View File

@@ -0,0 +1 @@
Same idea as a here, just that we put in 64 characters this time since the buffer is only 64 characters big. This means 65 A's and the job is done.

2
sheet06/a2/stack-d.sh Executable file
View File

@@ -0,0 +1,2 @@
NUMBER=$(printf "\x74\x69\x6E\x49")
./assignment2d AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA$NUMBER

1
sheet06/a2/stack-d.txt Normal file
View File

@@ -0,0 +1 @@
Since we now want to change toChange to a deterministic value, specifically 0x496e6974, I just used printf to generate the ASCII characters for this number and then passed it straight to the program with some extra stuff in front to make the buffer overflow. You just have to put the bytes in reverse order due to little endian and stuff.