This post is part of my Hacktober CTF 2020 writeups series. To check out the entire series, read the post below.
Hacktober CTF 2020 write-up series
Jason Rebelo γ» Oct 19 γ» 2 min read
Talking to the dead 1 (30 points)
We've obtained access to a server maintained by spookyboi. There are four flag files that we need you to read and submit (flag1.txt, flag2.txt, etc). Submit the contents of
flag1.txt
.
ssh hacktober@env.hacktober.io
Password:
hacktober-Underdog-Truth-Glimpse
challenge author: syyntax
Analysis
So here we are given access to a server and are supposed to find a few important files denoted flagX.txt
, X being 1 to 4.
The first thing to do is to connect to that server and do some file discovery.
Discovery
After connecting to the server, since we know what files we are looking for,
we can simply run find to see if all 4 files show up in our search.
There we go, now we know exactly where the files we need are located.
To break down the above command into simple terms first though:
- find is a command that allows us to look for different kinds of files, anywhere on the system. It comes with some neat features such as looking for files with a specific name, or files with a specific extension, and so on.
- the / character indicates to the find command that we want to search everywhere on the system.
- the -name "*flag*.txt"* argument indicates to the find command that we are looking for files with a name that has "flag" in its name, and ends with the extension ".txt".
- 2>/dev/null redirects all error output outside of our view. This makes it so we don't see a bunch of errors while trying to find files in folders that we don't have permission to see.
Solving
From here, we can simply read the file since we know its location:
Here's the flag: flag{cb07e9d6086d50ee11c0d968f1e5c4bf1c89418c}
Talking to the dead 2 (30 points)
There's a hidden flag that belongs to luciafer. Submit the contents of the hidden flag2.txt.
ssh hacktober@env.hacktober.io
Password:
hacktober-Underdog-Truth-Glimpse
challenge author: syyntax
Analysis
The challenge here was that this file is a hidden file (it starts with a ., this makes it so that the file is usually hidden from searches, unless we are specifically looking for hidden files, which we are!).
Since we expected this from the start, we made find look for this kind of file, too.
Solving
Once again, we can simply read the file since we know its location:
Here's the flag: flag{728ec98bfaa302b2dfc2f716d3de7869f3eadcbf}
Talking to the dead 3 (100 points)
Submit the contents of
flag3.txt
from the remote machine.
ssh hacktober@env.hacktober.io
Password:
hacktober-Underdog-Truth-Glimpse
challenge author: syyntax
Analysis
We already know where this file is, but we don't have the rights to read it:
The logical next step here is to find a way to either get access to that user's
login credentials, or to find an application that allows us to bypass our insufficient permissions.
Discovery
To achieve this, I ran LinEnum, a script that automatically checks the entire system for potential ways of gaining higher privileges. Nothing interesting showed up though in terms of privilege escalation, other than potential applications with the SUID bit set.
The SUID bit allows any user to run an application with elevated privileges.
In order to find these kinds of applications, that potentially allows us to escalate our privileges, we can also use the find command:
Most of these applications look and are quite normal, they are part of the packaged linux applications. One of these stands out though: ouija. It's not a standard application, so let's see what it's all about.
Oh. This application lets us read files in the root directory, regardless of whether we have the right to or not.
The problem now though, is that the file we want to open right now, is not in the root directory.
Solving
We first try to pass the full path to the flag3.txt file to ouija:
We notice that it doesn't work, but we also notice immediately that the program simply takes the path we provide, and appends it to /root, so maybe we can just do some simple path traversal to get to the file we want to read?
There we go! Simple as that π
Here's the flag: flag{445b987b5b80e445c3147314dbfa71acd79c2b67}
Talking to the dead 4 (300 points)
We suspect spookyboi doesn't use the root account for this server. There must be some mechanism used to read the flag4.txt file without gaining root. Submit the contents of
flag4.txt
from the remote machine.
ssh hacktober@env.hacktober.io
Password:
hacktober-Underdog-Truth-Glimpse
challenge author: syyntax
Analysis
Looking at the point difference in "Talking to the dead" 3 and 4, we come to the realisation that ouija was probably supposed to be part of "Talking to the dead 4" only, and the path traversal trick was an unintended solution to "Talking to the dead 3". I'm guessing that there was a way to find the password for the spookyboi user, maybe from another challenge.
Either way, there is no big secret about solving this challenge anymore π
Solving
Here's the flag: flag{4781cbffd13df6622565d45e790b4aac2a4054dc}
Conclusion
That's it for the "Talking to the dead" challenges. A pretty easy linux challenge that required some knowledge about finding files, path traversal tricks, SUID bits, and maybe some effort into finding spookyboi's password? We'll never know!
If you're interested in other writeups for this CTF, check out the post below.
Top comments (0)