Cannot remove file in linux (file attributes) (CTF challenge write-up)
Introduction
In the past few days, I’ve been participating in AlphaCTF 3, a Capture The Flag (CTF) event organized by AlphabitClub. Within the misc category, I came across a challenge named “gift”.
The challenge says that :
The challenge statement say that something strange is stopping you from getting a gift, which might be the flag.
Trying to list the files in the current directory you will get :
There is a file called D in the directory , so when trying to look in the file content, you will find a story or song or a speech in “Mzab” language .
This is a part of the content :
7ayto
Bata lan errbi ?, anighash tebhid te7loud
bata kid tadjid dani ?, ha ro7 at7eled el Challenge nel CTF.
Seya amse7 el fichier-yo, fenjal achnouch el flag, aywa bata tenid ? fiha wella mafihach ?
Ahhhhh khesachd Traduction!!
anighach:
yellah! reba achyouch lhna, reba adi3awen.
tizdal 9lanet m3a el chlata aywa. segem imanch.
yakhi 7ala
Seya am7ayto
Bata lan errbi ?, anighash tebhid te7loud
bata kid tadjid dani ?, ha ro7 at7eled el Challenge nel CTF.
Seya amse7 el fichier-yo, fenjal achnouch el flag, aywa bata tenid ? fiha wella mafihach ?
Ahhhhh khesachd Traduction!!
....What you will notice , is that the parts of the file content will be repeated, so to avoid getting many repeated parts we can use the sort command with the uniq command to get only one instance from each repeated part :
sort D | uniq We started with the sort command because it arranges the lines in the file. If there are duplicate lines, they will be placed together consecutively. Then, we can use the uniq command to display only one instance of each repeated line. This happens because uniq checks the file and prints only one instance if it finds consecutive repeated lines. That’s why sorting is necessary, to ensure consecutive lines are printed together.
for the result you will find this :
7ayto
7ayto7ayto
Ahhhhh khes7ayto
Ahhhhh khesachd Traduction!!
Bata lan errbi ?, anighash tebhid te7loud
Seya am7ayto
Seya amse7 el fichier-yo, fenjal achnouch el flag, aywa bata tenid ? fiha wella mafihach ?
Seya amse77ayto
anighach:
anighach:7ayto
bata kid tadjid dani ?, ha ro7 at7eled el Challenge nel CTF.
tizdal 9lanet m3a el chlata aywa. segem imanch.
tizdal7ayto
try to delete this file in order to get the gift
yakhi 7ala
yakhi 7ala 9lanet m3a el chlata aywa. segem imanch.
yakhi 7ala el fichier-yo, fenjal achnouch el flag, aywa bata tenid ? fiha wella mafihach ?
yakhi 7ala7a77ayto
yakhi 7ala7ayto
yakhi 7alaachd Traduction!!
yakhi 7alaayto
yakhi 7alase7 el fichier-yo, fenjal achnouch el flag, aywa bata tenid ? fiha wella mafihach ?
yakhi 7alayto
yellah! reba achyouch lhna, reba adi3awen.If you focus , in line number 14 , you will find the sentence : “try to delete this file in order to get the gift”
Let’s try to delete the file,but before that we will notice that our shell do not indicate any error that came from our commands , so to enhance our experience and make the steps more understandable we can use the pty module from python to create instance of /bin/bash in the current pty instance by :
python3 -c "import pty; pty.spawn('/bin/bash')"After that let’s try to remove the file :
So here we have a permission problem so let’s check them:
This is weird! , the owner of the file is the login user , and the owner has all the permissions even the others and the group .
So I tried to find the reason behind what makes a file not removable even by the owner or the root , I found that there is something called the immutability attribute .
But before that let’s see what is file attributes:
File attributes are properties or characteristics associated with a file on a computer system. These attributes provide additional information about the file and govern how the operating system and applications interact with it. File attributes are typically stored as part of the file’s metadata, which includes information such as file size, creation date, modification date, and permissions.
Common file attributes include:
- Read-only: This attribute prevents the file from being modified. Users can view the contents of the file but cannot make changes to it unless the attribute is removed.
- Hidden: When a file is marked as hidden, it is not displayed by default in file browsers or directory listings. This attribute is often used for system files or configuration files that users typically do not need to interact with directly.
- System: System files are marked with this attribute to indicate that they are essential for the operating system’s functioning. Like hidden files, system files may be hidden from normal file listings to prevent accidental modification or deletion.
- Archive: The archive attribute is often used in backup operations. When a file is modified, the archive attribute is set to indicate that the file has changed since the last backup. Backup software can use this attribute to identify which files need to be backed up.
- Executable: This attribute marks a file as executable, meaning it can be run as a program or script. In Unix-like operating systems, this attribute is often set using file permissions rather than a separate attribute.
- Immutable: When a file is marked as immutable, it cannot be modified, deleted, or renamed, even by the root user. This attribute is commonly used for critical system files to prevent accidental changes.
These attributes, along with other metadata such as file ownership and permissions, are stored in the file system’s inode (index node) or other data structures. They provide the operating system and file management utilities with essential information about the file’s properties and how it should be handled.
So to list the attributes we can use the lsattr command and our file as argument
lets divide the result:
- — — : These dashes represent the standard UNIX file permission bits (read, write, execute) for the file owner, group, and others. In this case, there are no special permissions set for the owner, group, or others.
- i : This flag indicates that the immutable attribute is set. Files with the immutable attribute cannot be modified, deleted, or renamed, even by the root user.
- e : This flag represents an extended attribute. Extended attributes are additional metadata associated with the file that can provide more information or control over its behavior.
So surely there is a script that is running on the background and check if the D file is still exist in the directory , lets check the cron.d directory :
Let’s read the file corresponding to our tmp directory :
* * * * * /var/tmp/check_deleted.sh /tmp/tmp.LTZf8iJ4T1So, this job is scheduled to run every minute, of every hour, of every day, of every month, and every day of the week.
The check_deleted.sh contains :
#!/bin/sh
if [ ! -f $1/D ]; then
cat /root/flag.txt > $1/gift.txt
fiIt will check if the D file is still existed so if not it will get the content of the flag.txt file under the root home directory and then redirect the result to the gift file under the corresponding user tmp directory
let’s remove the immutability attribute , by using the chattr command:
chattr -i D
Let’s check again the D file attributes:
So we’ve successfully removed the immutability attribute.
For the next step let’s remove the file and list the directory content :
You will find that there is a file called gift.txt that will contain the flag:
AlphaCTF{you_W3Re_no7_aWAr3_ThA7_7HEr3_4rE_477ribu7$}Conclusion:
I hope my explanation was helpful and easy to follow, allowing you to grasp the concepts and techniques used in this challenge effectively.
