User own - each computer has one or more user accounts that are not admin/root, when you get access to the user of the computer, it counts as owning that user.
Root is when you get access to the root account of the computer - the account that has permissions to do anything it wants. Full control over the system.
To own a user you need to submit a user flag, which is located on the desktop of the user.
Each machine has 1 user flag but can have multiple users.
Root flag is basically a user flag for root/administrator account. There is always 1 root flag.
I'm curious in one thing: when I downloaded GParted and looked at my root partition it was without "root" flag, and when I tried to flag it there was no "root" flag from the list. When I was installing Ubuntu (Ubuntu Studio) I flagged the partition as "root".Is it fine? As I understood, user just can't see the "root" flag of the root (/) partition even though it's flagged.Am I right? If not, will it cause any issues while installing apps, packages or in general any problems?
If the box has been reset since you got the flags, the ones you have will be invalid and you will need to get them again. The best advice is to submit the flags as soon as you get them rather than wait until you have both.
Flag iris roots become very invasive in garden settings and need to be dug and divided every few years to keep them flowering and in check - so using garden grown plants is a very sustainable way of dyeing yarn. They should not be dug up from the wild as taking roots is against the foragers code.
Dyeing successfully with roots is a slow process - the dye colour is locked within the structure of the root and it can take a while for the cells to loosen and the dye to be released. The method I used here was to chop the roots finely and then repeatedly simmer and cool them over a week.
I mordanted small skeins of wool with 10% alum and then stirred them into the dye pot making sure that they were completely soaked. I gradually increased the heat to hand hot - avoiding it getting hot enough to either damage the wool or brown the pigment - and then left them to cool naturally before removing the skeins and rinsing them.
I mixed rainwater and 1 teaspoon of ferrous sulphate and soaked one of the skeins in the mix. It became a mid grey very quickly and I removed it and rinsed well. It is important that none of the iron remains on the fibres as it can damage them.
Flag iris root is a traditional Scottish dye material - if you are prepared to increase the amount of iron and the time the fibres are in it then it is possible to get a dark charcoal colour. However this risks the rotting of the fibres over time - something that is seen in historic examples.
There are some dye stuffs that carry a little bit of legend with them, an inbuilt reminder of respect. Where we all happily pile on in collecting onion skins and picking nettles, we rightly hesitate when it involves digging up things.
Indeed I'd talked about it to my friend Kat at Gartur Stitch Farm whose old vegetable beds were infested with flag iris, but somehow those conversations were always over a cup of coffee in her warm Studio and never quite made it to slipping around in the mud digging up roots.
Then, last month I stayed for a few nights at the garden designer Arne Maynard's house Allt y Bela where the gardeners were busy digging out flag iris from the stream that borders the drive. The iris clumps had outgrown their space and needed to go. I spotted a chance and struck up conversation, a conversation that was rewarded with a great clump to take home in a compost bag and experiment with.
I very gently simmered them for a couple of hours, and then heated the water gently and allowed it to cool over the next few days. My hope was to get the dye chemicals out of the root as gently as possible.
I added in a couple of pieces of linen which had been scoured and then mordanted with aluminium acetate. Left overnight it turned the palest of pale greys - you can see it as the top sample in my dye record book. The initial linen was a white so there is some colour change, but not much.
The magic. I rinsed the linen and put one piece into an iron solution - a small amount of iron crystals in water in a jar, less than 2%. After about ten to fifteen minutes it had changed to a beautiful dark purplish navy.
This was pretty useful for us as we come as an extra layer, on top of you, we used this for consistency to be sure that python version used with ROOT is the same as the one requested by our user wen installing our platform.
Would it be possible to bring this information back ?
You can easily use bin/root-config --python-version that was created for this puprose.
(otherwise if you think that it is not enough please open a Jira ticket, we will happy to check how it could be improved)
I already use root-config --python-version to compare the versions used by ROOT and requested for our platform by a user. The only thing I meant is that up to now, thanks to the information provided, I was able to overwrite python config at cmake level for our platform to be sure (if requested python version was not the one ROOT was compiled with) that everything was safe and sound.
At the time of writing this post, this VM was part of a local security communities (zacon) pre-con challenge. Finding /root/flag.txt would have entered you into a draw for winning a prize :D However, the greater goal of the challenge was to learn something. I set out some time and attempted the challenge. Fortunately, I managed to complete it in time. So, this is the journey I took to solve this. You can now download and try this VM yourself over at VulnHub. Unzip, mount and boot the VM. Once the VM is booted, it should have an IP assigned via DHCP.
I think it is interesting to note that I used a very limited set of tools to complete this. No bruteforcers, metasploits, vulnerability scanners and or fancy proxies were used. My toolset consisted out of netcat, nmap and other basic bash commands. There are probably a gazillion ways to do this as lots of this stuff is preference based on how they are approached. However, the basic ideas of the vulnerabilities remain the same.
Enumeration is key to starting something like this. The more you know about the host, the more you are able to adapt and think about as you go through the challenge. So, we know we have a SSH Server, a FTP server and a Web server exposed.
With the little bit of poking around we have just done, we are able to say that this may be a Fedora Core Server, running Apache 2.2.13, with ProFTPD and the mod_sql plugin. This already gives us quite a lot to work with in the sense of researching the respective software in search of known vulnerabilities.
With me loving web based security, my first attempt at further enumerating the machine was via the web server. I searched for cgi-bin/ type problems, potentially hidden directories via robots.txt, username enumeration via home directories etc. to no avail. At some stage it became very apparent that the initial entry point for this server was not via the Web.
The next step was the FTP server. As it was purposely disclosing the fact that it was using mod_sql, instinct kicked in and I attempted to check the responses if I tried to login with username ' and password '.
From this research, we can be pretty confident in thinking that this specific FTP server may as well be vulnerable to the exact same vulnerability, and may very well be our first entry point into the system. Sample exploits are available here, and as such I attempted to exploit this. I copied the SQLi payload from the website %') and 1=2 union select 1,1,uid,gid,homedir,shell from users; -- and pasted this as the username, whereafter I provided 1 as the password.
My first attempts to exploit this was very successful. For this kind of potential vulnerability, I have a small PHP data stream wrapper shell in my toolbox. Normally, the shell looks something like this:
Taking one quick step back, I investigated the sources of the website in order to maybe find some credentials that may attach this website to a database or something similarly useful. While doing this, I noticed the index.php page was in fact doing partial input validation, which may cause some web shells not to work :)
What is particularly important to note here is the fact that this private key is not password protected. Usually, password protected keys would have a line such as Proc-Type: 4,ENCRYPTED indicating this. This key does not. So, using this, it would be as easy as specifying a private key to use when connecting and viola. I saved the the contents of id_rsa to a file called key, and specified it to be used when connecting with the -i flag:
So back to the drawing board it was. I decided to download and compile my own local version of the backdoored ircd daemon, and test what the expected result of this backdoor should be. At the same time I also learnt a little about unrealircd itself and how to configure it. win :)
Right… well that is not exactly very helpful… or is it? Admittedly, this was the part that cost me the most time. I got lost on a path which is lead by enum->sploit->post, and wandered off into a world of binary analysis, process packet sniffing and eventually reverse engineering. Initially, I somehow figured that auth_server should be running, and should provide the IRCd with NickServ capabilities, so that maybe I could VHOST to a vDomain of a operator account, IDENT as him and then discover other hidden treasures…
This did not help me get what I was clearly missing, and so, I went back to the enumeration step. What do I know about my current environment? WHERE do I have access now? WHAT access do I have? Anything different here that I may be missing. Eventually, I tried to so a sudo -l, which should list the commands I am allowed to run with sudo. Because my shells were all build with netcat, I had no proper tty to work with, so, sudo would complain about this. A quick fix with python, and all is well again:
c80f0f1006