As the description suggests the flag.zip file is password protected. Download the zip file.
To bruteforce the password protected zip file use fcrackzip tool. fcrackzip tool is a free and open source password bruteforceing tool for zip file.
fcrackzip tool command:- fcrackzip -D -v -u -u /usr/share/wordlists/rockyou.txt flag.zip
Wait 2-5 minutes to crack the password.(Note:- the fcrackzip will take time according to your system.)
So after some time the fcrackzip tool found the password from rockyou.txt wordlist. With the password let’s unzip the flag.zip file. You can see that the zip file extracted a flag.txt file. Just cat the file and enjoy your flag.
By reading the description we need to login via ssh in order to find the flag. So let’s login 0.cloud.chals.io and port 19777 via ssh by enterig the command ssh [email protected] -p 19777
Hit enter and you will be prompted for entering the password. Fill the input with the given password jctf2022!. And boom you are in the server.
Now interact with some common command like whoami and id to see you are logged in as ubuntu.
After that if you do sudo -l, cat /etc/crontab and so on you will find nothing. For your kind information I cann’t root the machine but I have successfully read the flag which is in root directory. You can find suid bit files for privilege escalation or some interesting suid bit set files.
To find the suid bit set files just type the command:- find / -type f -perm -4000 2>/dev/null
1. “/” is for starting the find command from the root directory.
2. -perm represents permission.
3. -u=s represents suid bit sets files.
4. -type f represents specific file type.
5. 2>/dev/null represents if any error occurs then all errors will go to the /dev/null directory and our output remains error free.
I didn’t found any suid file which give me the power to gain root shell. But I found a suid file /usr/bin/date which give me the power to read any files from the system. Hold on how do I know I’ll be able to read any files? Simple by using the very useful website called gtfobins. Just search for the name date and you will find the command. Use those commands to read any of the system files.
So let’s try to read the file which is belongs to the root user called /etc/shadow.
No interesting data found in the /etc/shadow file. At this point I totally guessed the flag file. So my guess was the flag file should be in the root directory.
My command was:-
2. date -f $LFILE
And luckly we got the flag. But I couldn’t escalate my privilege to root. Sorry for that.