It's all in the past now
Time Remaining: 0d 17h 2m 59s
Linux - 100 points
Description
There is a flag stored in /flag.txt but only root can read it. Figure out how to get root access to read the flag.
To connect: ssh ctf@138.247.115.163
lsコマンドでファイルの一覧を確認します。$ ssh ctf@138.247.115.163The authenticity of host '138.247.115.163 (138.247.115.163)' can't be established.ECDSA key fingerprint is SHA256:AqYttsPq7Wf9h94q8PvDF3x00Tjpleg3C9yHm6ivwPA.Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '138.247.115.163' (ECDSA) to the list of known hosts.
lsコマンドでルートディレクトリのファイル一覧を確認します。ctf@e73e8745b012:~$ ls -altotal 24drwxr-xr-x 2 ctf ctf 4096 Apr 4 21:00 .drwxr-xr-x 6 root root 4096 Apr 4 21:00 ..-rw-rw-r-- 1 ctf ctf 702 Dec 22 00:38 .bash_history-rw-r--r-- 1 ctf ctf 220 Aug 31 2015 .bash_logout-rw-r--r-- 1 ctf ctf 3771 Aug 31 2015 .bashrc-rw-r--r-- 1 ctf ctf 655 May 16 2017 .profile-rw-r--r-- 1 ctf ctf 0 Apr 4 21:00 .sudo_as_admin_successful
flag.txtファイルがあります。アクセス権がないので中身を読むことはできません。ctf@e73e8745b012:~$ ls -al /total 76drwxr-xr-x 60 root root 4096 Apr 21 02:09 .drwxr-xr-x 60 root root 4096 Apr 21 02:09 ..-rwxr-xr-x 1 root root 0 Apr 21 02:09 .dockerenvdrwxr-xr-x 2 root root 4096 Feb 28 19:14 bindrwxr-xr-x 2 root root 4096 Apr 12 2016 bootdrwxr-xr-x 5 root root 340 Apr 21 02:09 devdrwxr-xr-x 72 root root 4096 Apr 21 02:09 etc---------- 1 root root 21 Apr 4 20:59 flag.txtdrwxr-xr-x 6 root root 4096 Apr 4 21:00 homedrwxr-xr-x 10 root root 4096 Apr 4 20:59 libdrwxr-xr-x 2 root root 4096 Feb 28 19:14 lib64drwxr-xr-x 2 root root 4096 Feb 28 19:13 mediadrwxr-xr-x 2 root root 4096 Feb 28 19:13 mntdrwxr-xr-x 2 root root 4096 Feb 28 19:13 optdr-xr-xr-x 520 root root 0 Apr 21 02:09 procdrwx------ 2 root root 4096 Feb 28 19:14 rootdrwxr-xr-x 7 root root 4096 Apr 21 02:09 rundrwxr-xr-x 2 root root 4096 Mar 6 22:17 sbindrwxr-xr-x 2 root root 4096 Feb 28 19:13 srvdr-xr-xr-x 13 root root 0 Apr 20 19:05 sysdrwxrwxrwt 2 root root 4096 Apr 4 20:59 tmpdrwxr-xr-x 21 root root 4096 Apr 4 21:00 usrdrwxr-xr-x 21 root root 4096 Apr 21 02:09 var
.bash_historyファイルを見てみます。sudoコマンドをタイプミスしてパスワードが記録されています。ctf@e73e8745b012:~$ cat /flag.txtcat: /flag.txt: Permission denied
sudoでcatコマンドを実行します。パスワードにはtomatosoupと入力します。ctf@e73e8745b012:~$ cat .bash_historyvim myscript.shvi myscript.shsudo apt install vim-tinysudo apt install updatesudo apt updatesudo apt install vim-tinylsvi myscript.sh./myscript.shchmod +x myscript.shvi myscript.sh./myscript.shvi myscript.sh./myscript.shvi myscript.sh./myscript.shvi myscript.sh./myscript.shvi myscript.sh./myscript.shlscat myscript.shsh ./myscript.shvi myscript.sh./myscript.shvi myscript.sh./myscript.shvi myscript.sh./myscript.shvi myscript.sh./myscript.shbash -x ./myscript.shrm myscript.shsudo ./myscript.shvi myscript.shsufo ./myscript.shtomatosoupsudo ./myscript.shvi mycrypt.shsudo ./myscript.shvi mycrypt.shsudo ./myscript.shvi mycrypt.sh./myscript.sh
rm myscript.sh
ctf@e73e8745b012:~$ sudo cat /flag.txt[sudo] password for ctf:MCA{shooJ5aeshaiw4y}
フラグは、
MCA{shooJ5aeshaiw4y}