
RITSEC Fall 2018 CTF — Week 0
The fall semester at RIT kicked off with a new club — RITSEC! SPARSA and RC3 are now officially merged under the new name. Although the official presentation and challenge write-ups for the semester CTF will be posted on ritsec.club for those interested, I will still be posting more detailed write-ups here each week for the challenges I am able to solve. I do this because as a freshman, when I read the challenge write-ups they often went step-by-step but never elaborated on why a certain command was run or the strategy the user followed when solving the challenges. This is my effort to elaborate on the reasoning to the process.
Once again, I’ll strive to be consistently posting each Saturday but between a full course load, RITSEC, other clubs, and a networking project, we will see how things go. Let me know of any errors. Enjoy! =D
Topic
Week 0’s topic is “Intro to Linux”. Points are earned this week by demonstrating capability in Bash through a customized CentOS virtual machine provided by the club. The login is “ritsec”/“password”.
Easy 1 — What users are here? (flag in the form RS{})
The hint for Easy 1 could have two different meanings: “Who is currently logged in?” or “Who has an account on this machine?”. To determine users currently logged in to a Linux system, the who command is used.

However, this unfortunately leads nowhere because the only two users are my current session (ritsec) and the tty1 account, which is used to switch between a GUI and text-only input. To try the second option and determine the users present on this machine, open the file /etc/passwd. This file contains all of the human users and processes that have an account on the system.

The flag can be seen in the last line of the file, RS{EASY1_ETC_PA55WD_21f63c6e971cd913a9c147e8652ca659}.
Easy 2 — hackerman1337 is hiding the flag in his home directory! How do I find it? (flag in the form RS{})
The hint for Easy 2 suggests that the flag is hidden in the home directory of another user on the machine, hackerman1337. Change the directory to /home/hackerman1337.

There is no folder for hackerman1337 in the home directory. What about in the usr directory?

The folder is present, but there are no visible files in it. To view all files (including hidden files), run the ls -a command.

Here we see the hidden files, meaning that . is appended before the filename. Most of the results appear to belong in this folder. There are the current directory (.) and previous directory (..) folders and several files related to the bash shell. However, .supersecret.txt appears to be the flag. View the contents of the file.

The flag is in the file, RS{EASY2_H0ME_D1R_4075b57884e22ff171216e49dee6e158e}.
Medium 1 — I wish I could find my flag… (format is flag.txt). (flag not in the form RS{})
The hint for Medium 1 is phrased similarly to that of Easy 2, in that the find or grep commands will most likely be used. The name of the file is flag.txt. Starting with the find command, use the syntax to search the root directory for flag.txt.

Irrelevant results are omitted. The last line of the find results displays the path to the file.
There are several important notes about this result that make changing to the flag directory more difficult:
- The path is intentionally and unnecessarily long. To autocomplete instead of typing out the path manually, use the tab key (assuming there are no other folders in any of the sub-directories).
- There is a space in the beginning of the path name. Spaces cannot be used as part of a path name without the escape character
\or without putting the entire path in quotes (""). - The path contains a similar name to that of a default Linux folder (
/etc), which may cause some users to believe that the path to the file is in the/etcfolder directly below the root directory, although it is actually in the/[space]/etcdirectory.
With that said, change into the directory and open the flag.txt file. There are several ways to do this, but the method below uses the escape character \ and tab autocomplete.

The instructions in the flag are to get the sha1sum of the file by running the command sha1sum flag.txt. The sha1sum tool calculates the SHA-1 hash of the file, creating a unique value associated with it.

Per the instructions, the hash of the file is the flag, 37110a8d5174f360f9378080dfac067cf79b4143.
Medium 2 — Login as the hard user! Some lazy sysadmin forgot to clear his history… (flag in the form RS{})
The hint references “clear his history”, which most likely means the history of commands ran in bash, which is kept in the file .bash_history for each user. This file is hidden by default and is located in the user’s home directory. Open the file.

The ~ references the current user’s home directory. There are several important notes about the contents of this file:
xxdis a Linux hexdump utility, which converts the contents of a file into hex. This obfuscates the file and makes it illegible to a human. The filehardpassword.txthas been converted to a hexdump.- The hexdump was then piped (the
|character, indicating to take the results from one command and effectively use them as input for the next command) totee(a tool that reads standard input and writes it to standard output). - Tee put the hexdump in two different files,
/tmp/1and/tmp/2.
To obtain the flag (which will most likely also be the password to the user hard on this machine), the contents of /tmp/1 and /tmp/2 will need to be unified and converted from hex to UTF-8, a human-readable character encoding. Change to the /tmp directory and view the contents of the 1 and 2 files.

The contents of 2 appear to be empty, so proceed with 1. To reverse the command xxd -p, usexxd -r -p <filename>, with the -r flag standing for reverse. It is optional, although convenient for the next step, to pipe the output to a file using tee (in this case the new file /tmp/flag.txt).

The content of the file flag.txt is now somewhat more legible, but the backslashes, spaces, and exclamation points can be removed using the tool sed (stream editor) to make the flag clear. Simply,sed takes the notation 's/<character to replace>/<character to replace with>/g' <file>, where s means “substitute”, indicating that the user wants to replace text, and g means “globally”, so that sed will replace in the whole file and not only the first line of the file. To use multiple replacements at once, separate each sed command with a semicolon as done below. Note that the escape character \ was used in the file, so it was necessary to escape in order to set the escape character as the <character to replace>, hence the \\, and that the desired output was to remove (in other words, replace with nothing) the characters, so the <character to replace with> field is blank.

The flag is RS{oopshunter2_th4ts_th3_p4ssw0rd}. The password to the hard account is therefore oopshunter2.
Hard 1 — What’s in hard.txt? (flag not in the form RS{})
The hint is intentionally vague and provides little to no direction for obtaining the flag. Login to the hard account using the password found in Medium 2. Attempt to open the file hard.txt in the user’s home directory.

Check the permissions of the file using ls -l, which lists the details of all files in the current directory.

The owner of the hard.txt file, despite it being located in the hard user’s home directory, is root. root has permission to read the file. Attempt to act as the root user by using the sudo (“super user do”) command.

The hard user does not have root access. There are several options that may work to obtain access to the file, including changing file permissions, group membership, or the owner of the file. However, for brevity, the action that was successful was to add the hard user to the sudoers file (/etc/sudoers) to allow the hard user to act as the root user and access the file.
Run the command sudo -l to see what the hard user is allowed to run.

The hard user is allowed to run visudo, which means the user is able to edit the sudoers file. Open the sudoers file with visudo.

The sudoers file opens in the vim editor. The relevant section has the heading ## Allow root to run any commands anywhere. Edit the file to allow the hard user to also run any commands anywhere.

Exit the vim editor and attempt to access the file hard.txt as root again.

This file looks interesting. There isn’t a message like in Medium 1 instructing the user to take the hash of the file. It has the extension .txt but is actually a binary file, and it repeats hard.file twice. If the hint “What’s in hard.txt?” is taken literally, as in “What is inside hard.txt?”, then the file needs to be unzipped. Unzip the file.

View the contents of hard.file.

Take the sha1sum of hard.file to get the flag.

The flag is 44f114de4d36798725ed548b9adfb397ea7c020d.
In Conclusion
If you don’t know how to use a Linux terminal or struggled with the commands, the best way to learn is simply to use it more often. There are many great tutorials online that will also walk you through Bash.
There will be 14 more weeks of challenges coming from the new RITSEC club this semester! If you want to know more about RITSEC check out their website or attend a meeting if you’re on RIT’s campus — 12–2 PM in GOL-2410 for the CTF and 2–4 PM in SLA-2150 for research and presentations. Until next week!
