Share
## https://sploitus.com/exploit?id=8996DFDA-1D05-5ECF-8F50-4B60A3DA564D
# SnowCrasher

This project is an introduction to cyber security. Through several challenges, you will discover security vulnerabilities in various fields and learn to identify and exploit them.

## Getting Started

```bash
wget https://cdn.intra.42.fr/isos/SnowCrash.iso
```

### on the Virtual Machine

On oracle VM: 
Click on New

### Requirements

|setting name||
|---|---|
|name | SnowCrasher |
|ISO Image | path of SnowCrash.iso |
|type | Linux|
|Version | Ubuntu 64bits|
|Network | Bridge Network|


### credentials
|usr|pwd|
|---|---|
|level00|level00|


for the SSH connection :
```bash
ssh level00@ -p 4242
```

## Project Structure

### Mandatory Part (10 levels)

- [x] level00
- [x] level01
- [x] level02
- [x] level03
- [x] level04
- [x] level05
- [x] level06
- [x] level07
- [x] level08
- [x] level09

### Bonus Part (5 levels)

- [ ] level10
- [ ] level11
- [ ] level12
- [ ] level13
- [ ] level14

## Repository Structure

Your repository must follow this structure:

```
.
โ”œโ”€โ”€ level00/
โ”‚   โ”œโ”€โ”€ flag
โ”‚   โ””โ”€โ”€ resources/
โ”‚       โ””โ”€โ”€ 
โ”œโ”€โ”€ level01/
โ”‚   โ”œโ”€โ”€ flag
โ”‚   โ””โ”€โ”€ resources/
โ”‚       โ””โ”€โ”€ 
โ”œโ”€โ”€ level02/
...
```
## Rules

### Forbidden

- Brute forcing SSH flags
- Including ISO files in repository
- Including binary files

### Required

- Document your solutions
- Be able to explain your methods
- Use `resources/` folder for proof files
- External tools must be set up in separate environment


## Command can be used

- `ssh` - [Remote connection](https://linux.die.net/man/1/ssh)
- `scp` - [File transfer](https://linux.die.net/man/1/scp)
- `strings` - [Extract strings from binaries](https://linux.die.net/man/1/strings)
- `ltrace` - [tracer](https://linux.die.net/man/1/ltrace)
- `strace` - [tracer](https://linux.die.net/man/1/strace)
- `gdb` - [Debugger](https://www.rocq.inria.fr/secret/Anne.Canteaut/COURS_C/gdb.html)
- `objdump` - [Disassembler](https://man7.org/linux/man-pages/man1/objdump.1.html)
- `xxd` - [Hex editor](https://man7.org/linux/man-pages/man1/hexdump.1.html)
- `cat` - [Read files](https://man7.org/linux/man-pages/man1/cat.1.html)
- `su` - [Switch user](https://man7.org/linux/man-pages/man1/su.1.html)
- `find` - [Search files](https://man7.org/linux/man-pages/man1/find.1.html)
- `grep` - [Search content](https://man7.org/linux/man-pages/man1/grep.1.html)
- `grep` - [Search content](https://linux.die.net/man/1/egrep)
- `curl` - [transfer a URL](https://linux.die.net/man/1/curl)
- `getfacl` - [get file access control lists](https://linux.die.net/man/1/getfacl)
- `ln` - [links between files](https://man7.org/linux/man-pages/man1/ln.1.html)


## Notion

- **-** : classic file
- **d** : directory
- **l** : link 
- **c** : character
- **b** : block
- **p** : pipe 
- **s** : socket
- **+** : ACL (Access Control Lists)

| - | rw- | r-- | r-- |
| --- | ---- | --- | ---- |
| type of file| root | group | others |

- **r** : read
- **w** : write
- **x** : excute

## Kernel vulnerability

on target:
```bash
uname -a
>> Linux SnowCrash 3.2.0-89-generic-pae #127-Ubuntu SMP Tue Jul 28 09:52:21 UTC 2015 i686 i686 i386 GNU/Linux
```
We search CVE of this version 3.2.0-89-generic-pae. We find the **"the pokemon exploit of the dirtycow vulnerability"**
If we follow the instruction from https://www.exploit-db.com/exploits/40839, we can use it to become root and find all the flag. 

> [!NOTE]  
> It was fun to fond this but it's not the aim of this module so let's start by [level00](level00/ressources/README.md).

## Documentation

https://www.malekal.com/fichier-etc-passwd-linux/
https://hackingeek.com/fichier-etc-passwd-pour-lelevation-des-privileges/