-
Notifications
You must be signed in to change notification settings - Fork 39
CTF Captured the Flags
In this Wiki I'm going to review and resolve some captured the flags from different platforms, some of them are:
- root-me
- hack-the-box
- Hackme
- Defcon
- TryHackMe
These are the topics that I'm going to mention:
Root Me 💀
The first challenge is from the Root-me webpage (bash - System 1) that according to its information it has a "very easy" level.
Once we are in the SHH terminal we can see three files:
Makefile ch11 ch11.c
with the command ls -l we can see their permissions
-r--r----- 1 app-script-ch11-cracked app-script-ch11 494 May 19 18:29 Makefile
-r-sr-x--- 1 app-script-ch11-cracked app-script-ch11 7252 May 19 18:34 ch11
-r--r----- 1 app-script-ch11-cracked app-script-ch11 187 May 19 18:34 ch11.c
From the last captured we can see that we have a SUID shell Script. SUID file is a special file permission for executable files which enables other users to run the file with effective permissions of the file owner (Linux).
According to the CTF website, the script uses a system call where we can find the file .passwd
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
setreuid(geteuid(), geteuid());
system("ls /challenge/app-script/ch11/.passwd");
return 0;
}
look that that it has a relative path name, we can change the PATH to use our own program instead of the regular /usr/bin/passwd.
First, I'm going to print all the alias with the command export -p. Next, I'm going to make a temporal directory in tmp called "ls", the next step is changing the command ls to another one like cat cp /bin/cat /tmp/ls
The final step is to make an ALIAS PATH=/tmp/ls:$PATH
Root Me 💀
- Exercise 1
An easy challenge is FTP - authentication which gives us a network capture, the idea of this is to find the password in the FTP communication. Once you have the file you can open it with Wireshark and apply the option "Follow TCP Stream" where you can find the flag.
- Exercise 2
An easy challenge is TELNET - authentication which gives us a network capture, the idea of this is to find the password in the TELNET communication. Once you have the file you can open it with Wireshark and apply the option "Follow TCP Stream" in a TELNET package where you can find the flag.
I've been exploring this platform to teach my classes, this is an effective way of both learning and showing various aspects related to ethical hacking using some challenges, this page is very intuitive and allows anyone without or having the knowledge to face each room. This is the URL of my profile: https://tryhackme.com/p/urcuqui
The following are some Linux system files that have sensitive information.
/etc/issue
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor)
/proc/self/environ
/proc/version
/proc/cmdline