-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
22 changed files
with
146 additions
and
0 deletions.
There are no files selected for viewing
Binary file added
BIN
+43.2 KB
2020/cyberWizardsCTF/mastardetsChallenge/images/Finding What to do.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
|
|
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+20.7 KB
2020/cyberWizardsCTF/mastardetsChallenge/images/history_not_working.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| # Mastardet Basic Binary and Linux | ||
|
|
||
| ## Description | ||
|
|
||
| > Find the flag in the binary. | ||
| * **Category:** Basic Binary and Linux | ||
| * **Creator:** [mastardet](https://www.youtube.com/channel/UC66idcoWzeZ_AsTnYr3L37g/featured) | ||
| * **Challenge File:** [mastardet_challenge.tar.gz](https://github.com/WhiteDragon251/cyber_wizards_CTF/raw/master/mastardet_challenge.tar.gz) | ||
|
|
||
| Make sure you try the challenge once on your own beofre reading the [**writeup**](https://whitedragon251.github.io/cyber_wizards_CTF/writeup). You can also find **Hints** below. | ||
|
|
||
| ## Hints | ||
|
|
||
| * **HINT 1:** try searching strings with the hostname of the machine, in the binary | ||
| * **HINT 2:** flag.txt has the flag in it. Don't worry if you see it's 0 bytes | ||
| * **HINT 3:** you could ask the server for `help` | ||
| * **HINT 4:** We are nothing without **history** | ||
| * **HINT 5:** And linux is nothing without environment variables | ||
|
|
||
| ## More about the creator of the challenge | ||
|
|
||
| This challenge was created by **mastardet** who is a great friend and even mentor to me. He is great person with around 15 years of experience in the field and currently, works as an **ethical hacker** and a **software developer**. He has helped me learn a lot of stuff in the field of penetration testing. Make sure you guys check out his [youtube channel](https://www.youtube.com/channel/UC66idcoWzeZ_AsTnYr3L37g/featured), definitely you will learn lot of good and useful stuff from his videos! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,116 @@ | ||
| # Mastardet Basic Binary and Linux | ||
|
|
||
| This was one of the best challenges I have ever solved and this was created by **mastardet (he is great guy and an elite hacker)**. | ||
|
|
||
| If you guys wanna learn more from him, then make sure you check out his [**YouTube channel**](https://www.youtube.com/channel/UC66idcoWzeZ_AsTnYr3L37g/featured) right away, you will surely gather lot of good stuff from there! Alright, let's move towards the challenge then... | ||
|
|
||
| ## Walkthrough | ||
|
|
||
| #### Finding the password | ||
|
|
||
| The challenge begins with a binary, that's all we are given. So the first step is obviously to figure out what the binary does. | ||
|
|
||
| ``` | ||
| ./challenge_linux | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| We are given a prompt saying `root@cyberwizards password:`. Well, looks like a machine and we definitely need a password to get in. | ||
|
|
||
|  | ||
|
|
||
| Once you quit the program, you will notice see an **ip address** come up. I had asked **mastardet (the challenge creator)** about this and he did say me that you don't have to do anything with the ip. So that ip is nothing to be worried and if you even try to `ping` the ip, you will notice you can't do that, so we can't find anything exploitable using this ip address. | ||
|
|
||
| So, moving ahead, I tried sending **payloads** thinking I could overflow it, but that didn't work! Ok, so let's try some other stuff out.<br> | ||
| Let's try reversing the binay and see what we get. | ||
|
|
||
| ``` | ||
| r2 -d ./challenge_linux | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| Ok, so this is insane, when we try to print the functions, there are more than 1000 functions and there is no main function. If you all wanna go ahead and try to reverse it then please carry on, but I really don't think you will get any success. And well, when you try going through the binary in `vim` you will see that it is written in `go` which must be why its hard to reverse it. Or you can simply use the file command to see that its written in `go`. | ||
|
|
||
| Alright then, let's try out the simpler stuff. Let's just use `strings` and `grep` to get useful information. | ||
|
|
||
| ``` | ||
| strings ./challenge_linux | grep -i --color flag | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| This looks interesting, but doesn't seem we can use it at the moment to our advangtage in anyway. So let's move on. | ||
|
|
||
| ``` | ||
| strings ./challenge_linux | grep -i --color root | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| Can't see anything useful in this one. | ||
|
|
||
| ``` | ||
| strings ./challenge_linux | grep -i --color cyberwizards | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| Alright, so this one took me a while (actually it took me hours to figure out, haha...) but when you look at it closely you can see it!! This must be the password we were looking for. Let's see if it works... | ||
|
|
||
|  | ||
|
|
||
| Ok great!! The password we found is correct. | ||
|
|
||
| #### Reading the flag in the restricted shell environment | ||
|
|
||
| And now we are given a shell and when we run `ls -la`, we can see that the `flag.txt` is right there. | ||
|
|
||
|  | ||
|
|
||
| Alright, let's grab it using `cat`. | ||
|
|
||
|  | ||
|
|
||
| So here comes the twist in the story! I am sure you must have noticed by now that commands like `cat`, `less`, `more`, etc. are not even there. In fact, you can't run most of the commands. Now, some of you might try to `reboot` or `shutdown` and will get this- | ||
|
|
||
|  | ||
|
|
||
| Sorry mates, but that is not the flag. We need to dig more to find it. | ||
|
|
||
| Now, when you will run the `help` command, you will see all the commands available to you. So we have `ls`, `pwd`, `export`, `exit`, `whoami`, `history`, `logout` and `clear`. Among all these, all that seems useful is the `export` command. | ||
|
|
||
|  | ||
|
|
||
| So I tried running the `export` command and even tried to modify the values of the environment variables such as `$PATH` and `$SHELL` but all that ended up giving me an error. | ||
|
|
||
|  | ||
|
|
||
| There is another command that's behaving strange. Once you have tried running all the commands from the help menu, you will notice something stragne with the `history` command. It should ideally print all the commands we have entered till now but it just prints the same stuff again and again. | ||
|
|
||
|  | ||
|
|
||
| So, when you took a look at the **HINT 4** and **HINT 5** given [here](https://whitedragon251.github.io/cyber_wizards_CTF/), you will immediately understand that you need to work on the `history` and the `export` command. So let's get started. | ||
|
|
||
| And obviously, in these situations Google is our best friend!! So I did a lot of googling and then I came across this | ||
|
|
||
|  | ||
|
|
||
| So, `HISTFILE` is an **environment variable** that specifies the file for `history` command to read from. This looks interesting... So what happens when we set the `HISTFILE` to `/root/flag.txt` :) | ||
|
|
||
|  | ||
|
|
||
| Alright, great, the command worked!! But still, if we run `history`, that prints the same old stuff. | ||
|
|
||
|  | ||
|
|
||
| So, I looked up a little more on Google and I finally found this on StackOverflow | ||
|
|
||
| [StackOverflow: history command does not show all lines in HISTFILE](https://unix.stackexchange.com/questions/549450/history-command-does-not-show-all-lines-in-histfile) | ||
|
|
||
| Ok, so now we know that we need to refresh the history using the `history -r`. Alright, so let's grab that flag hackers!! | ||
|
|
||
|  | ||
|
|
||
| Voila!! We have the flag!! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters