SANS HOLIDAY HACK 2017 Writeup
Earlier in 2017 I made my entry in CTFs and have participated in few CTF competitions in my organization SAP Labs. Sans Holiday Hack is my 2nd Global CTF that I am participating after HackerRank CTF.
You can find the background story of the CTF from here
Challenges Were Broken Down in 3 Sections
2. Terminal Challenges
3. Main CTF Hackers Style
The games were interesting. There were some shooting iceballs. All you need to do is make the iceball reach the destination to mark it as complete. You will get additional points to fulfill subtasks like cover all the waypoints, etc. Very interesting ! The green dots represent solving the level and the yellow dots represent solving all the challenges in the level.
This is how the Winter Wonder Landing Game looked like
So for this part I am not doing any writeup as this can only be demonstrated with some videos
The Terminal Challeges
The Terminal challenges were present in each of the game. Can you in a small tiny box on top of that tank in the above image. Clicking on them would present you with a linux console where you will be presented with some challenges.
TERMINAL CHALLENGE 1 - In this challenge we couldn not use kill / pkill initially. The reason is kill and pkill is set as alias. It was made an alias for "true". So the command did not work initially. So to solve this I used unalias command to remove the alias and then issue the kill command.
TERMINAL CHALLENGE 2 - No find / locate / whereis command is available. Frankly speaking I did a lot of manual searching to find the binary at /var/run/elftalk. I hope to see some other writeups for better approach.
TERMINAL CHALLENGE 3 - This challenge was interesting and totally new to me. The binary had only executable permission for root user. I learnt that using an ELF interpreter we can execute the ELF binary. /lib64/ld-linux-x86-64.so.2
/ __'. .-"""-.
.-""-| | '.'. / .---. \/ .--. \ \___\ \/ /____| |
/ / \ `-.-;-(`_)_____.-'._; ; `.-" "-:_,(o:==..`-. '. .-"-,
\ \ | Y __...\ \ \ / / \/| | / \ / `\ `. \ / .-. \ /\ | | | .--""--.| .-' \ '.`---' /
`--'` .' (_) `'/ (_) /\ \ / / |` \' _...--.; '---'` \ '-' / jgs /_..---.._ \ .'\\_ `.
`._ _.'| .'
TERMINAL CHALLENGE 4 - Using file command on the binary it will reveal that is compiled for ARM platform. To run such ARM applications , qemu must be installed in the system. Using qemu we can run the binary.
TERMINAL CHALLENGE 5 - A good usage of awk , grep would narrow down the result and bit of googling will reveal the browser name. I personally never used this 'Dillo' browser and heard it for the first time !
TERMINAL CHALLENGE 6 - College days lessons came handy. It took a bit of trial and error to decide the number of likes of 3000. I started with 1000 and gradually increased the count higher to narrow down the result. The query i wrote is NOT optimized and took bit long to execute. Patience was the key !
TERMINAL CHALLENGE 7 - I remember during OSCP I learnt this technique. Using FIND we do do privilege escalation. So once i saw the results of sudo -l , i knew what to do. Yes you can execute commands using find !
/_/o/_/_/@/_/_/o/_/0/_\/_\_\_\_\_\_\_\_\_\_\ jgs [___]
My name is Shinny Upatree, and I've made a big mistake.I fear it's worse than the time I served everyone bad hake.
I can offer you a gift, if you can fix my ill-fated redress.
I've deleted an important file, which suppressed my server access.
TERMINAL CHALLENGE 8 - This was new to me. Learnt lot about LD_PRELOAD how we can use of custom version of any function that we use in programming. You can use your own version of malloc without relying on stdio.h
Hope you had fun. I know there are tons of grammatical errors throughout my post. It is not intentional but my awful skill of writing. Sorry for tolerating it so long and in my next blog I will cover up the rest of the challenges. Thanks a lot for reading :)