The Root of All Evil

Challenge:

DEADFACE is known for leaving a "calling card" on systems they exploit. What flag did the attackers leave after they gained root access to the web server?

Submit the flag as flag{flag_text}

Use the packet capture from Scans.

Solution:

We know from the previous related challenges that there were remote shells established with two users, www-data and root. Additionally, we know that steams with destination port 13123 were www-data while destination port 4815 was root. Knowing this we set a display filter in Wireshark for tcp.dstport == 4815, did a string search for whoami and follow TCP Stream on the packet identified by the search, which was stream 5054.

The flag is visible right at the beginning of the stream:

root@esu-web-7734:~# echo "flag{pr1vesc_wi7h_cROn}"
echo "flag{pr1vesc_wi7h_cROn}"

The accepted flag was: flag{pr1vesc_wi7h_cROn}