Grave Digger 2
Challenge:
A member of DEADFACE has a sensitive file on
d34th's machine. See if you can find a way to read thegravedigger2file. Submit the flag asflag{flag text}.env.deadface.io Password:
123456789qUse context from Grave Digger 1
Solution:
From our initial reconnaissance during the Grave Digger 1 challenge we knew that crypto_vamp didn't have any files in their home directory so we checked for other users on the server:
$ ls /home/
crypto_vamp lilith spookyboi
Knowing there are additional home directories we ran a simple find to list files in those directories, which located the target file for the challenge in lilith's documents directory:
$ find /home 2>/dev/null
/home
/home/lilith
/home/lilith/Desktop
/home/lilith/Pictures
/home/lilith/Music
/home/lilith/Documents
/home/lilith/Documents/gravedigger2.png.txt
/home/lilith/Documents/gravedigger2
...
Unfortunately, the files were not readable by our user:
$ ls -l /home/lilith/Documents/
total 8
-rw-rw---- 1 lilith lilith 2031 Oct 13 22:45 gravedigger2
-rw-rw---- 1 lilith lilith 993 Oct 13 22:46 gravedigger2.png.txt
However, from our reconnaissance during Grave Digger 1 we observed that our user had sudo privileges to run a program as lilith without needing a password:
$ sudo -l
...
User crypto_vamp may run the following commands on 3f160b00fdd5:
(lilith) NOPASSWD: /opt/reader
When viewing the help for the program it became obvious this was the tactic to reading the target file:
$ /opt/reader -h
Reader v1.3.1. Built for collaboration with new recruits.
Syntax: reader [OPTIONS] [FILENAME | ARGUMENTS]
Options:
-h View this help information.
-f FILENAME Read the contents of a file.
-v View version information
man reader \for more information.
Using /opt/reader to read gravedigger produced a QR code in ASCII art:
Additionally, the gravedigger2.png.txt file produced a Base64 encoded string:
crypto_vamp@3f160b00fdd5:~$ /opt/reader -f /home/lilith/Documents/gravedigger2.png.txt
H4sICD4BMWMAA2dyYXZlZGlnZ2VyMi5wbmcAAbYCSf2JUE5HDQoaCgAAAA1JSERSAAABcgAAAXIB
AAAAAMBfbKQAAAJ9SURBVHic7ZtBauQwEEX/Hxl6KUMOJN8gRxrmZtaBAtIyIPNnIanT3TMhCeNW
2kPVQtjo0XwoSi5VVVP4isUfX8IB44033njjjTf+PZ7NJnDBRqAuAJfc95aBeozfmQ+SpARohRMi
T2LztJMk6Zq/tx7jd+Zzj9A4A/yZNuoXp7pH9qfH1W/83226eScwlerkIADIY/UYP4CXVO75+8YP
43v8eqHH6kbAJyESENCWQXqM35fHZfIEJ4R0s/S9IEnro+k3/gPTtQH+MpO+NfPvwfgWv0FqsRqS
EwBXY1orAMA3xPx7NP58PjshqDSHhnS9kZz595h8za8Un18I5CfVW1GcAcTnhLY7u1F6jL8j718J
5AmAL+CSSa2+1Nfv0GP8P/P9+5v6tzb0JKvvlssUzM7nY/JxBppX8wQgk5IkkieRM8BlpB7j9+Vr
1pxbtUNSAZc8QUob3zYeVr/x71k7dwEg1Kqk6/dfX3pV4+3p0fQb/zneFwD5JK3+lYizE5cata0T
PFiP8fvwl/lVzaWS00VWtdr99z/gtcKJSz6Ji39tkxy16+tLO6lH6jF+L/7i8tNKzyrQ6qW6KF1d
kix+D8mT80ateQI5t9JzG72az1ejgXqM34v/o39U6xu4ajy06rTF71H5t/lJxHkjggpY5+t6uXKo
HuN35oPOXd9avzrVIcrq2pA2tk7hg+o3/gO+z09y8aWWK7ViIyJp998D87fzkwIgwr8QQduEsG6T
Ip0Y1hF6jN+Xv/UvkJ+KgA06z9ch6FzEejT9xn+O970IHWegVTrgav/oO/QYvw/f4jfW+HQgcD2w
0U1j9Bi/L0/7f7fxxhtvvPHGD+d/A246vbhKW01zAAAAAElFTkSuQmCC1GkqrLYCAAA=
Viewing the QR code in a reader, or decoding the Base64 in CyberChef produced the same flag:
The accepted flag was: flag{d1091652793d0f31f53164353b6414e9}
Leave a comment