Image for post
Image for post
The new RIT Security Club (RITSEC), formerly RC3/SPARSA

RITSEC Fall 2018 CTF — Week 0

The fall semester at RIT kicked off with a new club — RITSEC! SPARSA and RC3 are now officially merged under the new name. Although the official presentation and challenge write-ups for the semester CTF will be posted on ritsec.club for those interested, I will still be posting more detailed write-ups here each week for the challenges I am able to solve. I do this because as a freshman, when I read the challenge write-ups they often went step-by-step but never elaborated on why a certain command was run or the strategy the user followed when solving the challenges. This is my effort to elaborate on the reasoning to the process.

Once again, I’ll strive to be consistently posting each Saturday but between a full course load, RITSEC, other clubs, and a networking project, we will see how things go. Let me know of any errors. Enjoy! =D

Topic

Week 0’s topic is “Intro to Linux”. Points are earned this week by demonstrating capability in Bash through a customized CentOS virtual machine provided by the club. The login is “ritsec”/“password”.

Easy 1 — What users are here? (flag in the form RS{})

The hint for Easy 1 could have two different meanings: “Who is currently logged in?” or “Who has an account on this machine?”. To determine users currently logged in to a Linux system, the who command is used.

Results of the “who” command

However, this unfortunately leads nowhere because the only two users are my current session (ritsec) and the tty1 account, which is used to switch between a GUI and text-only input. To try the second option and determine the users present on this machine, open the file /etc/passwd. This file contains all of the human users and processes that have an account on the system.

Image for post
Image for post
Results of the “cat /etc/passwd” command

The flag can be seen in the last line of the file, RS{EASY1_ETC_PA55WD_21f63c6e971cd913a9c147e8652ca659}.

Easy 2 — hackerman1337 is hiding the flag in his home directory! How do I find it? (flag in the form RS{})

The hint for Easy 2 suggests that the flag is hidden in the home directory of another user on the machine, hackerman1337. Change the directory to /home/hackerman1337.

Image for post
Image for post
Results of the “cd /home/hackerman1337” command

There is no folder for hackerman1337 in the home directory. What about in the usr directory?

Image for post
Image for post
Results of the “cd /usr/hackerman1337” command

The folder is present, but there are no visible files in it. To view all files (including hidden files), run the ls -a command.

Image for post
Image for post
Results of the “ls -a” command

Here we see the hidden files, meaning that . is appended before the filename. Most of the results appear to belong in this folder. There are the current directory (.) and previous directory (..) folders and several files related to the bash shell. However, .supersecret.txt appears to be the flag. View the contents of the file.

Image for post
Image for post
Results of the “cat .supersecret.txt” command

The flag is in the file, RS{EASY2_H0ME_D1R_4075b57884e22ff171216e49dee6e158e}.

Medium 1 — I wish I could find my flag… (format is flag.txt). (flag not in the form RS{})

The hint for Medium 1 is phrased similarly to that of Easy 2, in that the find or grep commands will most likely be used. The name of the file is flag.txt. Starting with the find command, use the syntax to search the root directory for flag.txt.

Image for post
Image for post
The find command. “/” indicates search the entire drive and “-name flag.txt” indicates that the file to be found is called flag.txt

Irrelevant results are omitted. The last line of the find results displays the path to the file.

Image for post
Image for post
The path to flag.txt

There are several important notes about this result that make changing to the flag directory more difficult:

  • The path is intentionally and unnecessarily long. To autocomplete instead of typing out the path manually, use the tab key (assuming there are no other folders in any of the sub-directories).
  • There is a space in the beginning of the path name. Spaces cannot be used as part of a path name without the escape character \or without putting the entire path in quotes ("").
  • The path contains a similar name to that of a default Linux folder (/etc), which may cause some users to believe that the path to the file is in the /etc folder directly below the root directory, although it is actually in the /[space]/etc directory.

With that said, change into the directory and open the flag.txt file. There are several ways to do this, but the method below uses the escape character \ and tab autocomplete.

Image for post
Image for post
Results of the cd and cat commands

The instructions in the flag are to get the sha1sum of the file by running the command sha1sum flag.txt. The sha1sum tool calculates the SHA-1 hash of the file, creating a unique value associated with it.

Image for post
Image for post
Results of the “sha1sum flag.txt” command

Per the instructions, the hash of the file is the flag, 37110a8d5174f360f9378080dfac067cf79b4143.

Medium 2 — Login as the hard user! Some lazy sysadmin forgot to clear his history… (flag in the form RS{})

The hint references “clear his history”, which most likely means the history of commands ran in bash, which is kept in the file .bash_history for each user. This file is hidden by default and is located in the user’s home directory. Open the file.

Image for post
Image for post
Results of the “cat ~/.bash_history” command

The ~ references the current user’s home directory. There are several important notes about the contents of this file:

  • xxd is a Linux hexdump utility, which converts the contents of a file into hex. This obfuscates the file and makes it illegible to a human. The file hardpassword.txt has been converted to a hexdump.
  • The hexdump was then piped (the |character, indicating to take the results from one command and effectively use them as input for the next command) to tee (a tool that reads standard input and writes it to standard output).
  • Tee put the hexdump in two different files, /tmp/1 and /tmp/2.

To obtain the flag (which will most likely also be the password to the user hard on this machine), the contents of /tmp/1 and /tmp/2 will need to be unified and converted from hex to UTF-8, a human-readable character encoding. Change to the /tmp directory and view the contents of the 1 and 2 files.

Image for post
Image for post
Results of the cd and cat commands

The contents of 2 appear to be empty, so proceed with 1. To reverse the command xxd -p, usexxd -r -p <filename>, with the -r flag standing for reverse. It is optional, although convenient for the next step, to pipe the output to a file using tee (in this case the new file /tmp/flag.txt).

Image for post
Image for post
Results of the xxd command

The content of the file flag.txt is now somewhat more legible, but the backslashes, spaces, and exclamation points can be removed using the tool sed (stream editor) to make the flag clear. Simply,sed takes the notation 's/<character to replace>/<character to replace with>/g' <file>, where s means “substitute”, indicating that the user wants to replace text, and g means “globally”, so that sed will replace in the whole file and not only the first line of the file. To use multiple replacements at once, separate each sed command with a semicolon as done below. Note that the escape character \ was used in the file, so it was necessary to escape in order to set the escape character as the <character to replace>, hence the \\, and that the desired output was to remove (in other words, replace with nothing) the characters, so the <character to replace with> field is blank.

Image for post
Image for post
Results of the sed command

The flag is RS{oopshunter2_th4ts_th3_p4ssw0rd}. The password to the hard account is therefore oopshunter2.

Hard 1 — What’s in hard.txt? (flag not in the form RS{})

The hint is intentionally vague and provides little to no direction for obtaining the flag. Login to the hard account using the password found in Medium 2. Attempt to open the file hard.txt in the user’s home directory.

Image for post
Image for post
Results of the “cat hard.txt” command

Check the permissions of the file using ls -l, which lists the details of all files in the current directory.

Image for post
Image for post
Results of the “ls -l” command

The owner of the hard.txt file, despite it being located in the hard user’s home directory, is root. root has permission to read the file. Attempt to act as the root user by using the sudo (“super user do”) command.

Image for post
Image for post
Results of the “sudo cat hard.txt” command

The hard user does not have root access. There are several options that may work to obtain access to the file, including changing file permissions, group membership, or the owner of the file. However, for brevity, the action that was successful was to add the hard user to the sudoers file (/etc/sudoers) to allow the hard user to act as the root user and access the file.

Run the command sudo -l to see what the hard user is allowed to run.

Image for post
Image for post
Results of the “sudo -l” command

The hard user is allowed to run visudo, which means the user is able to edit the sudoers file. Open the sudoers file with visudo.

Image for post
Image for post
The heading of the sudoers file after running the “sudo visudo” command

The sudoers file opens in the vim editor. The relevant section has the heading ## Allow root to run any commands anywhere. Edit the file to allow the hard user to also run any commands anywhere.

Image for post
Image for post
The sudoers file edited to allow hard to run any commands anywhere

Exit the vim editor and attempt to access the file hard.txt as root again.

Image for post
Image for post
Results of the “sudo cat hard.txt” command

This file looks interesting. There isn’t a message like in Medium 1 instructing the user to take the hash of the file. It has the extension .txt but is actually a binary file, and it repeats hard.file twice. If the hint “What’s in hard.txt?” is taken literally, as in “What is inside hard.txt?”, then the file needs to be unzipped. Unzip the file.

Image for post
Image for post
Results of the “sudo unzip hard.txt” command

View the contents of hard.file.

Image for post
Image for post
Results of the “sudo cat hard.file” command

Take the sha1sum of hard.file to get the flag.

Image for post
Image for post
Results of the “sudo sha1sum hard.file” command

The flag is 44f114de4d36798725ed548b9adfb397ea7c020d.

In Conclusion

If you don’t know how to use a Linux terminal or struggled with the commands, the best way to learn is simply to use it more often. There are many great tutorials online that will also walk you through Bash.

There will be 14 more weeks of challenges coming from the new RITSEC club this semester! If you want to know more about RITSEC check out their website or attend a meeting if you’re on RIT’s campus — 12–2 PM in GOL-2410 for the CTF and 2–4 PM in SLA-2150 for research and presentations. Until next week!

Written by

DFIR, CTFs, disinformation, STEM education, and pretty much anything else that comes to mind. RIT Computing Security ’22. wyatttauber.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store