Nov 24, 2014 • Pegasus

Exploit 1

Description 3016

usr: ctf, pass: canyoudoit

flag in /home/flag/flag.txt


Once logged in, there’s nothing interesting found inside the .bash_history file, although it’s good to see they’ve tried checking vulnerabilities for example the ShellShock attack.

Likewise, we see /home/flag has no access controls present which allow us to read, write or execute anything in the directory. All attempts at directly reading the /home/flag/flag.txt file gave us access denied.

Looking in /bin and /sbin yields nothing, but if we perform ls -al /usr/bin, there’s a file called ... which is owned by flag, but part of the group ctf. It has s permissions, and when executed, it gives us a Python shell, running as flag.

Here, it’s simple. We write a bit of python in the interpreter that opens /home/flag/flag.txt, and prints it. The script is below:

  f = open('/home/flag/txt', 'r')
  print f     

This prints out the flag.