Day 17

warmup/the-void

The Void

Author: n nalo_
Category: warmup

This challenge offers us to connect to a remote host. When connecting, we can see our terminal is filling with some empty characters.

The challenge’s description being “When you gaze long into the void, the void gazes also into you…”, I immediately though that the flag would be hidden in the middle of this nothingness.

Thus, I wrote a script using pwntools to the data until intercepting the flag.

The code is has simple as that:

1
import pwn
2

3
IP = "challenge.ctf.games"
4
PORT = 99999
5

6
conn = pwn.remote(IP, PORT)          # connecting to remote
7
data = conn.recvuntil(b"}").decode() # receive until end of flag
8
print(data)                          # print received data

And that was enough! The flag appears when gazing long enough into the void…

misc/linux-basics

Linux Basics

Author: n nalo_
Category: misc

This challenge is less technical than linux knowledge. We are given a host to connect to, and by answering all the given questions, the flag is given.

Question 0: What’s your home directory?

By running whoami, we see our user is called user. Thus, the home directory, located at /home/<username> is /home/user. We can also go to this home and print the current working directory: cd ~ && pwd.

Question 1: Search the man pages. What command would you use to generate random permutations?

By a simple google search, we can find a man page for this question. The answer is shuf.

Question 2: On what day was /home/user/myfile.txt modified? Use the date format 2019-12-31

To know the edit date of a file, we can use the argument -l of the ls command, for details. Thus:

$ ls -l /home/user/myfile.txt
-rwxr-xr--    1 root     admin        22200 Aug 29  1997 /home/user/myfile.txt

We can see the date of “Aug 29 1997”. Formated as waited gives 1997-08-29.

Question 3: How big is /home/user/myfile.txt, in kilobytes? Round to the nearest whole number.

Using the above command, with can see the size is 22200 bytes. In kilobytes (divided by 1024), gives 21.7Kb. Rounded to the nearest int gives 22.

Question 4: What user owns the file /home/user/myfile.txt

Still using the above command, we can see that the user owning the file is root.

Question 5: What’s the 3-digit octal permissions of the file /home/user/myfile.txt? (e.g 777)

Using the above command, we see that the rights are -rwxr-xr--. To convert to numbers, we can decompose:

   u   g   o     # User rights / Group rights / Other rights
d rwx rwx rwx    # Directory / Read / Write / eXecute
- rwx r-x r--    # our case. We can ignore d.
  111 101 100    # equivalent in binary
=  7   5   4     # conversion to decimal

The octal version of the permissions of this file is then 754.

Another way to get it is using stat command. We can print the permissions using its format -c '%a':

$ stat -c '%a' myfile.txt
754

Question 6: What is the user id of ‘admin’?

We can have informations about a user and its groups with the id command:

$ id admin
uid=1338(admin) gid=1338(admin) groups=1338(admin)

The id of ‘admin’ is 1338

Question 7: There is a user ‘john’ on the system. Can they write to /home/user/myfile.txt? (yes/no)

Using the same base command, we can check which group john is in:

$ id john
uid=1001(john) gid=1338(admin) groups=1338(admin),1338(admin)

We can see he is in the admin group. In question 3, we saw the owner of the file is root user, and the admin group. In question 5, we saw that the right for group is r-x, so read, execute, but not write. The answer is no.

Question 8: Can the ‘admin’ user execute /home/user/myfile.txt? (yes/no)

In question 6 we saw admin is part of the admin group. In question 7, we saw this group have execution rights. Thus, the answer is yes

Question 9: Which user on the system, except for you, root, admin and john, can execute /home/user/myfile.txt?

We saw in question 3 that admin group have access to the file. Thus, we need to know who is part of this group.

We can read the file /etc/group to know that. This files contains every groups, their name and ID, as well as their users:

$ grep "admin" /etc/group
admin:x:1338:user,john,rose

The user we don’t know yet is rose.

Question 10: /home/user/myfile.txt looks like a txt file, but it actually isn’t. What kind of file is it?

The file command allows us to determine the type of a given file:

$ file /home/user/myfile.txt
/home/user/myfile.txt: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 807x114, components 3

We can see the file is a JPEG image.

pwn/baby-buffer-overflow-32bit

Baby Buffer Overflow - 32bit

Category: pwn

TODO

web/moveable

MOVEable

Category: web

TODO