Skip to main content

SANS HOLIDAY HACK 2017 : PART 1

SANS HOLIDAY HACK 2017 Writeup 

Earlier in 2017 I made my entry in CTFs and have participated in few CTF competitions in my organization  SAP Labs.  Sans Holiday Hack is my 2nd Global CTF that I am participating after HackerRank CTF.

You can find the background story of the CTF from here

 https://www.holidayhackchallenge.com/2017/

Challenges Were Broken Down in 3 Sections

1. Games
2. Terminal Challenges
3. Main CTF Hackers Style

The Games 

The games were interesting. There were some shooting iceballs. All you need to do is make the iceball reach the destination to mark it as complete. You will get additional points to fulfill subtasks like cover all the waypoints, etc. Very interesting ! The green dots represent solving the level and the yellow dots represent solving all the challenges in the level.


This is how the Winter Wonder Landing Game looked like


So for this part I am not doing any writeup as this can only be demonstrated with some videos


The Terminal Challeges

The Terminal challenges were present in each of the game. Can you in a small tiny box on top of that tank in the above image. Clicking on them would present you with a linux console where you will be presented with some challenges. 


TERMINAL CHALLENGE 1 -  In this challenge we couldn not use kill / pkill initially. The reason is kill and pkill is set as alias. It was made an alias for "true". So the command did not work initially. So to solve this I used unalias command to remove the alias and then issue the kill command.

___,@ / < ,_ / \ _, ? \`/______\`/ ,_(_). |; (e e) ;| \___ \ \/\ 7 /\/ _\8/_ \/\ \'=='/ | /| /| \ \___)--(_______|//|//| \___ () _____/|/_|/_| / () \ `----' / () \ '-.______.-' jgs _ |_||_| _ (@____) || (____@) \______||______/My name is Sparkle Redberry, and I need your help.My server is atwist, and I fear I may yelp.Help me kill the troublesome process gone awry.I will return the favor with a gift before nigh.Kill the "santaslittlehelperd" process to complete this challenge.elf@7705d8ccb624:~$


___,@ / < ,_ / \ _, ? \`/______\`/ ,_(_). |; (e e) ;| \___ \ \/\ 7 /\/ _\8/_ \/\ \'=='/ | /| /| \ \___)--(_______|//|//| \___ () _____/|/_|/_| / () \ `----' / () \ '-.______.-' jgs _ |_||_| _ (@____) || (____@) \______||______/ My name is Sparkle Redberry, and I need your help.My server is atwist, and I fear I may yelp.Help me kill the troublesome process gone awry.I will return the favor with a gift before nigh.Kill the "santaslittlehelperd" process to complete this challenge.elf@f98c307a80fc:~$ ps -Al F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME CMD4 S 1000 1 0 0 80 0 - 4507 - pts/0 00:00:00 init4 S 1000 8 1 0 80 0 - 1056 - pts/0 00:00:00 santaslittlehel4 S 1000 11 1 1 80 0 - 3382 - pts/0 00:00:00 kworker4 S 1000 12 1 0 80 0 - 4562 - pts/0 00:00:00 bash4 S 1000 18 11 3 80 0 - 17867 core_s pts/0 00:00:00 kworker0 R 1000 34 12 0 80 0 - 6494 - pts/0 00:00:00 pself@f98c307a80fc:~$ kill -9 8elf@f98c307a80fc:~$ ps -AlF S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME CMD4 S 1000 1 0 0 80 0 - 4507 - pts/0 00:00:00 init4 S 1000 8 1 0 80 0 - 1056 - pts/0 00:00:00 santaslittlehel4 S 1000 11 1 0 80 0 - 3382 - pts/0 00:00:00 kworker4 S 1000 12 1 0 80 0 - 4562 - pts/0 00:00:00 bash4 S 1000 18 11 1 80 0 - 17867 core_s pts/0 00:00:00 kworker0 R 1000 47 12 0 80 0 - 6494 - pts/0 00:00:00 pself@f98c307a80fc:~$ aliasalias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"'alias egrep='egrep --color=auto'alias fgrep='fgrep --color=auto'alias grep='grep --color=auto'alias kill='true'alias killall='true'alias l='ls -CF'alias la='ls -A'alias ll='ls -alF'alias ls='ls --color=auto'alias pkill='true'alias skill='true'elf@f98c307a80fc:~$ unalias kill elf@f98c307a80fc:~$ kill -9 8elf@f98c307a80fc:~$ ps -AlF S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME CMD4 S 1000 1 0 0 80 0 - 4507 - pts/0 00:00:00 init4 S 1000 12 1 0 80 0 - 4562 - pts/0 00:00:00 bash0 R 1000 93 12 0 80 0 - 6494 - pts/0 00:00:00 pself@f98c307a80fc:~$


TERMINAL CHALLENGE 2 - No find / locate / whereis command is available. Frankly speaking I did a lot of manual searching to find the binary at /var/run/elftalk.  I hope to see some other writeups for better approach.

| \ ' / -- (*) -- >*< >0<@< >>>@<<* >@>*<0<<< >*>>@<<<@<< >@>>0<<<*<<@< >*>>0<<@<<<@<<< >@>>*<<@<>*<<0<*< \*/ >0>>*<<@<>0><<*<@<< ___\\U//___ >*>>@><0<<*>>@><*<0<< |\\ | | \\| >@>>0<*<0>>@<<0<<<*<@<< | \\| | _(UU)_ >((*))_>0><*<0><@<<<0<*< |\ \| || / //||.*.*.*.|>>@<<*<<@>><0<<< |\\_|_|&&_// ||*.*.*.*|_\\db//_ """"|'.'.'.|~~|.*.*.*| ____|_ |'.'.'.| ^^^^^^|____|>>>>>>| ~~~~~~~~ '""""`------'My name is Bushy Evergreen, and I have a problem for you.I think a server got owned, and I can only offer a clue.We use the system for chat, to keep toy production running.Can you help us recover from the server connection shunning?Find and run the elftalkd binary to complete this challenge.

| \ ' / -- (*) -- >*< >0<@< >>>@<<* >@>*<0<<< >*>>@<<<@<< >@>>0<<<*<<@< >*>>0<<@<<<@<<< >@>>*<<@<>*<<0<*< \*/ >0>>*<<@<>0><<*<@<< ___\\U//___ >*>>@><0<<*>>@><*<0<< |\\ | | \\| >@>>0<*<0>>@<<0<<<*<@<< | \\| | _(UU)_ >((*))_>0><*<0><@<<<0<*< |\ \| || / //||.*.*.*.|>>@<<*<<@>><0<<< |\\_|_|&&_// ||*.*.*.*|_\\db//_ """"|'.'.'.|~~|.*.*.*| ____|_ |'.'.'.| ^^^^^^|____|>>>>>>| ~~~~~~~~ '""""`------' My name is Bushy Evergreen, and I have a problem for you. I think a server got owned, and I can only offer a clue. We use the system for chat, to keep toy production running. Can you help us recover from the server connection shunning? Find and run the elftalkd binary to complete this challenge.elf@7442dc156c19:~$ find / -name elftalkdbash: /usr/local/bin/find: cannot execute binary file: Exec format errorelf@7442dc156c19:~$ locate elftalkdbash: locate: command not foundelf@7442dc156c19:~$ whereis elftalkdelftalkd:elf@7442dc156c19:~$ ls /var/backups cache lib local lock log mail opt run spool tmpelf@7442dc156c19:~$ ls /var/runelftalk lock mount systemd utmpelf@7442dc156c19:~$ ls /var/run/elftalk/binelf@7442dc156c19:~$ ls /var/run/elftalk/bin/elftalkdelf@7442dc156c19:~$ /var/run/elftalk/bin/elftalkd Running in interactive mode --== Initializing elftalkd ==--Initializing Messaging System!Nice-O-Meter configured to 0.90 sensitivity.Acquiring messages from local networks...--== Initialization Complete ==-- _ __ _ _ _ _ | |/ _| | | | | | | ___| | |_| |_ __ _| | | ____| | / _ \ | _| __/ _` | | |/ / _` || __/ | | | || (_| | | < (_| | \___|_|_| \__\__,_|_|_|\_\__,_|-*> elftalkd! <*-Version 9000.1 (Build 31337) By Santa Claus & The Elf TeamCopyright (C) 2017 NotActuallyCopyrighted. No actual rights reserved.Using libc6 version 2.23-0ubuntu9LANG=en_US.UTF-8Timezone=UTCCommencing Elf Talk Daemon (pid=6021)... done!Background daemon...elf@7442dc156c19:~$


TERMINAL CHALLENGE 3 - This challenge was interesting and totally new to me. The binary had only executable permission for root user. I learnt that using an ELF interpreter  we can execute the ELF binary.  /lib64/ld-linux-x86-64.so.2

___ / __'. .-"""-. .-""-| | '.'. / .---. \ / .--. \ \___\ \/ /____| | / / \ `-.-;-(`_)_____.-'._ ; ; `.-" "-:_,(o:==..`-. '. .-"-, | | / \ / `\ `. \ / .-. \ \ \ | Y __...\ \ \ / / \/ /\ | | | .--""--.| .-' \ '.`---' / \ \ / / |` \' _...--.; '---'` \ '-' / jgs /_..---.._ \ .'\\_ `. `--'` .' (_) `'/ (_) / `._ _.'| .' ``````` '-...--'`My name is Holly Evergreen, and I have a conundrum.I broke the candy cane striper, and I'm near throwing a tantrum.Assembly lines have stopped since the elves can't get their candy cane fix.We hope you can start the striper once again, with your vast bag of tricks.Run the CandyCaneStriper executable to complete this challenge.

ne is up and running!
/ __'. .-"""-.
.-""-| | '.'. / .---. \
/ .--. \ \___\ \/ /____| |
/ / \ `-.-;-(`_)_____.-'._
; ; `.-" "-:_,(o:==..`-. '. .-"-,
\ \ | Y __...\ \ \ / / \/
| | / \ / `\ `. \ / .-. \ /\ | | | .--""--.| .-' \ '.`---' /
`--'` .' (_) `'/ (_) /
\ \ / / |` \' _...--.; '---'` \ '-' / jgs /_..---.._ \ .'\\_ `.
`._ _.'| .'
``````` '-...--'`My name is Holly Evergreen, and I have a conundrum.I broke the candy cane striper, and I'm near throwing a tantrum.Assembly lines have stopped since the elves can't get their candy cane fix.We hope you can start the striper once again, with your vast bag of tricks.Run the CandyCaneStriper executable to complete this challenge.elf@bd154be8e41d:~$ ls -latotal 68drwxr-xr-x 1 elf elf 4096 Dec 15 20:00 .drwxr-xr-x 1 root root 4096 Dec 5 19:31 ..-rw-r--r-- 1 elf elf 220 Aug 31 2015 .bash_logout-rw-r--r-- 1 root root 3143 Dec 15 19:59 .bashrc-rw-r--r-- 1 elf elf 655 May 16 2017 .profile-rw-r--r-- 1 root root 45224 Dec 15 19:59 CandyCaneStriperelf@bd154be8e41d:~$ file CandyCaneStriper CandyCaneStriper: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=bfe4ffd88f30e6970feb7e3341ddbe579e9ab4b3, strippedelf@bd154be8e41d:~$ chmod u+x CandyCaneStriper elf@bd154be8e41d:~$ ls -latotal 68drwxr-xr-x 1 elf elf 4096 Dec 15 20:00 .drwxr-xr-x 1 root root 4096 Dec 5 19:31 ..-rw-r--r-- 1 elf elf 220 Aug 31 2015 .bash_logout-rw-r--r-- 1 root root 3143 Dec 15 19:59 .bashrc-rw-r--r-- 1 elf elf 655 May 16 2017 .profile-rw-r--r-- 1 root root 45224 Dec 15 19:59 CandyCaneStriperelf@bd154be8e41d:~$ /lib64/ld-linux-x86-64.so.2 ./CandyCaneStriper +x ./CandyCaneStriper _..._ .'\\ //`, /\\.'``'.=", / \/ ;==| /\\/ .'\`,` / \/ `""` /\\/ /\\/ /\ / /\\/ /`\/ \\/ `


TERMINAL CHALLENGE 4 - Using file command on the binary it will reveal that is compiled for ARM platform. To run such ARM applications , qemu must be installed in the system. Using qemu we can run the binary.


______ .-"""".._'. _,## _..__ |.-"""-.| | _,##'`-._ (_____)||_____|| |_,##'`-._,##'` _| |.;-""-. | |#'`-._,##'` _.;_ `--' `\ \ |.'`\._,##'` /.-.\ `\ |.-";.`_, |##'` |\__/ | _..;__ |'-' / '.____.'_.-`)\--' /'-'` //||\\(_.-'_,'-'` (`-...-')_,##'` jgs _,##`-..,-;##` _,##'`-._,##'` _,##'`-._,##'` `-._,##'`My name is Pepper Minstix, and I need your help with my plight.I've crashed the Christmas toy train, for which I am quite contrite.I should not have interfered, hacking it was foolish in hindsight.If you can get it running again, I will reward you with a gift of delight.total 444-rwxr-xr-x 1 root root 454636 Dec 7 18:43 trainstartupelf@3717bc22863c:~$

elf@ac8b47c18917:~$ ./trainstartup bash: ./trainstartup: cannot execute binary file: Exec format errorelf@ac8b47c18917:~$ qemu-arm ./trainstartup


Merry Christmas Merry Christmasv>*<^/o\/ \ @.·/~~ \ ./ ° ~~ \ · . / ~~ \ · / ° ~~\ · 0/~~ \ .·· · o /° ~~ .*· · . \ ┬─°─┬°°° ========──┼──=≠ ==================================== /\─┐ ┌┐ /▒▒▒▒ ≠=======================°≠=°≠==========================You did it! Thank you!elf@ac8b47c18917:~$


TERMINAL CHALLENGE 5 - A good usage of awk , grep would narrow down the result and bit of googling will reveal the browser name. I personally never used this 'Dillo' browser and heard it for the first time !

._ _. (_) (_) <> \ / <> .\::/. \_\/ \/_/ .:. _.=._\\//_.=._ \\// .. \o/ .. '=' //\\ '=' _<>_\_\<>/_/_<>_ :o| | |o: '/::\' <> / /<>\ \ <> ~ '. ' .' ~ (_) (_) _ _ _ //\\ _ >O< ' ' /_/ \_\ / /\ /\ \ _ .' . '. _ \\// <> / \ <> :o| | |o: /\_\\><//_/\ '' /o\ '' '.| |.' \/ //><\\ \/ ':' . ~~\ /~~ . _//\\_jgs _\_._\/_._/_ \_\ /_/ / ' /\ ' \ \o/ o ' __/ \__ ' _o/.:|:.\o_ o : o ' .'| |'. .\:|:/. '.\'/.' . -=>>::>o<::<<=- :->@<-: : _ '/:|:\' _ .'/.\'. '.___/*\___.' o\':|:'/o o : o \* \ / */ /o\ o >--X--< /*_/ \_*\ .' \*/ '. : 'Minty Candycane here, I need your help straight away.We're having an argument about browser popularity stray.Use the supplied log file from our server in the North Pole.Identifying the least-popular browser is your noteworthy goal.total 28704-rw-r--r-- 1 root root 24191488 Dec 4 17:11 access.log-rwxr-xr-x 1 root root 5197336 Dec 11 17:31 runtoanswerelf@1ec0264e4c6f:~$ awk -F\" '{print $6}' access.log |sort -u | uniq


(_) (_) <> \ / <>

total 28704-rw-r--r-- 1 root root 24191488 Dec 4 17:11 access.log-rwxr-xr-x 1 root root 5197336 Dec 11 17:31 runtoanswerelf@c3933d45d5c7:~$ elf@c3933d45d5c7:~$ awk -F\" '{print $6}' access.log |sort -u | uniq(KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36-Dillo/3.0.5GarlikCrawler/1.2 (http://garlik.com/, crawler@garlik.com)Googlebot-Image/1.0MobileSafari/604.1 CFNetwork/889.9 Darwin/17.2.0Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)Mozilla/4.0 (compatible;)Mozilla/5.0 <<<<< SNIPPED DATA >>>>>>

www.probethenet.com scannerelf@1b982464c021:~$ ./runtoanswer Starting up, please wait......Enter the name of the least popular browser in the web log: DilloThat is the least common browser in the web log! Congratulations!elf@1b982464c021:~$


TERMINAL CHALLENGE 6 - College days lessons came handy. It took a bit of trial and error to decide the number of likes of 3000. I started with 1000 and gradually increased the count higher to narrow down the result. The query i wrote is NOT optimized and took bit long to execute. Patience was the key !


* .~' O'~.. ~'O'~.. ~'O'~..~' O'~..~'O'~. .~'O'~..~'O'~ ..~'O'~..~'O'~. .~'O'~..~'O'~..~' O'~..~'O'~..~'O'~.. ~'O'~..~'O'~..~'O'~.. ~'O'~..~'O'~..~'O'~..~' O'~..~'O'~..~'O'~..~'O'~. .~'O'~..~'O'~..~'O'~..~'O'~ ..~'O'~..~'O'~..~'O'~..~'O'~. .~'O'~..~'O'~..~'O'~..~'O'~..~' O'~..~'O'~..~'O'~..~'O'~..~'O'~.. ~'O'~..~'O'~..~'O'~..~'O'~..~'O'~.. ~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~' O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~. .~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~ ..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~. .~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..Sugarplum Mary is in a tizzy, we hope you can assist.Christmas songs abound, with many likes in our midst.The database is populated, ready for you to address.Identify the song whose popularity is the best.total 20684-rw-r--r-- 1 root root 15982592 Nov 29 19:28 christmassongs.db-rwxr-xr-x 1 root root 5197352 Dec 7 15:10 runtoanswerelf@59a1529b4428:~$



* .~' O'~.. ~'O'~.. ~'O'~..~' O'~..~'O'~. .~'O'~..~'O'~ ..~'O'~..~'O'~. .~'O'~..~'O'~..~' O'~..~'O'~..~'O'~.. ~'O'~..~'O'~..~'O'~.. ~'O'~..~'O'~..~'O'~..~' O'~..~'O'~..~'O'~..~'O'~. .~'O'~..~'O'~..~'O'~..~'O'~ ..~'O'~..~'O'~..~'O'~..~'O'~. .~'O'~..~'O'~..~'O'~..~'O'~..~' O'~..~'O'~..~'O'~..~'O'~..~'O'~.. ~'O'~..~'O'~..~'O'~..~'O'~..~'O'~.. ~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~' O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~. .~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~ ..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~. .~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~' O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..~'O'~..Sugarplum Mary is in a tizzy, we hope you can assist.Christmas songs abound, with many likes in our midst.The database is populated, ready for you to address.Identify the song whose popularity is the best.total 20684-rw-r--r-- 1 root root 15982592 Nov 29 19:28 christmassongs.db-rwxr-xr-x 1 root root 5197352 Dec 7 15:10 runtoanswerelf@4dad4c91f82b:~$ elf@4dad4c91f82b:~$ sqlite3 christmassongs.db SQLite version 3.11.0 2016-02-15 17:29:24Enter ".help" for usage hints.sqlite> .schemaCREATE TABLE songs( id INTEGER PRIMARY KEY AUTOINCREMENT, title TEXT, artist TEXT, year TEXT, notes TEXT);CREATE TABLE likes( id INTEGER PRIMARY KEY AUTOINCREMENT, like INTEGER, datetime INTEGER, songid INTEGER, FOREIGN KEY(songid) REFERENCES songs(id));sqlite> select id from songs outerrr where 3000<(select sum(like) from likes where songid = outerrr.id);392sqlite> select * from songs where id = 392 ...> ;392|Stairway to Heaven|Led Zeppelin|1971|"Stairway to Heaven" is a song by the English rock band Led Zeppelin, released in late 1971. It was composed by guitarist Jimmy Page and vocalist Robert Plant for the band's untitled fourth studio album (often called Led Zeppelin IV). It is often referred to as one of the greatest rock songs of all time.sqlite> .quitelf@4dad4c91f82b:~$ ./runtoanswer Starting up, please wait......Enter the name of the song with the most likes: Stairway to HeavenThat is the #1 Christmas song, congratulations!elf@4dad4c91f82b:~$


TERMINAL CHALLENGE 7 - I remember during OSCP I learnt this technique. Using FIND we do do privilege escalation. So once i saw the results of sudo -l , i knew what to do. Yes you can execute commands using find !


\ / -->*<-- /o\ /_\_\ /_/_0_\ /_o_\_\_\ /_/_/_/_/o\ /@\_\_\@\_\_\ /_/_/O/_/_/_/_\ /_\_\_\_\_\o\_\_\ /_/0/_/_/_0_/_/@/_\ /_\_\_\_\_\_\_\_\_\_\ /_/o/_/_/@/_/_/o/_/0/_\ jgs [___] My name is Shinny Upatree, and I've made a big mistake.I fear it's worse than the time I served everyone bad hake.I've deleted an important file, which suppressed my server access.I can offer you a gift, if you can fix my ill-fated redress.Restore /etc/shadow with the contents of /etc/shadow.bak, then run "inspect_da_box" to complete this challenge.Hint: What commands can you run with sudo?elf@ff8356a5c20a:~$


\ /
-->*<--
/o\
/_/_0_\
/_\_\
/_/_/_/_/o\
/_o_\_\_\
/_/_/O/_/_/_/_\
/@\_\_\@\_\_\
/_/0/_/_/_0_/_/@/_\
/_\_\_\_\_\o\_\_\
/_/o/_/_/@/_/_/o/_/0/_\
/_\_\_\_\_\_\_\_\_\_\ jgs [___]
My name is Shinny Upatree, and I've made a big mistake.
I fear it's worse than the time I served everyone bad hake.
I can offer you a gift, if you can fix my ill-fated redress.
I've deleted an important file, which suppressed my server access.
Restore /etc/shadow with the contents of /etc/shadow.bak, then run "inspect_da_box" to complete this challenge.Hint: What commands can you run with sudo?elf@98ff15774316:~$ sudo -Lsudo: invalid option -- 'L'usage: sudo -h | -K | -k | -Vusage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command]usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] [VAR=value] [-i|-s] [<command>]usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ...elf@98ff15774316:~$ sudo -lMatching Defaults entries for elf on 98ff15774316: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser elf may run the following commands on 98ff15774316: (elf : shadow) NOPASSWD: /usr/bin/findelf@98ff15774316:~$ sudo -g shadow find / -name "*.bak" -exec cp '{}' /etc/shadow \;find: '/var/cache/ldconfig': Permission deniedfind: '/var/cache/apt/archives/partial': Permission deniedfind: '/var/lib/apt/lists/partial': Permission deniedfind: '/proc/tty/driver': Permission deniedfind: '/proc/14/task/14/fd': Permission deniedfind: '/proc/14/task/14/fdinfo': Permission deniedfind: '/proc/14/task/14/ns': Permission deniedfind: '/proc/14/fd': Permission deniedfind: '/proc/14/map_files': Permission deniedfind: '/proc/14/fdinfo': Permission deniedfind: '/proc/14/ns': Permission deniedfind: '/etc/ssl/private': Permission deniedfind: '/root': Permission deniedelf@98ff15774316:~$ inspect_da_box ___ / __'. .-"""-. .-""-| | '.'. / .---. \ / .--. \ \___\ \/ /____| | / / \ `-.-;-(`_)_____.-'._ ; ; `.-" "-:_,(o:==..`-. '. .-"-, | | / \ / `\ `. \ / .-. \ \ \ | Y __...\ \ \ / / \/ /\ | | | .--""--.| .-' \ '.`---' / \ \ / / |` \' _...--.; '---'` \ '-' / jgs /_..---.._ \ .'\\_ `. `--'` .' (_) `'/ (_) / `._ _.'| .' ``````` '-...--'`/etc/shadow has been successfully restored!elf@98ff15774316:~$


TERMINAL CHALLENGE 8 - This was new to me. Learnt lot about LD_PRELOAD how we can use of custom version of any function that we use in programming. You can use your own version of malloc  without relying on stdio.h


.--._.--.--.__.--.--.__.--.--.__.--.--._.--. _(_ _Y_ _Y_ _Y_ _Y_ _)_ [___] [___] [___] [___] [___] [___] /:' \ /:' \ /:' \ /:' \ /:' \ /:' \ |:: | |:: | |:: | |:: | |:: | |:: | \::. / \::. / \::. / \::. / \::. / \::. / jgs \::./ \::./ \::./ \::./ \::./ \::./ '=' '=' '=' '=' '=' '='Wunorse Openslae has a special challenge for you.Run the given binary, make it return 42.Use the partial source for hints, it is just a clue.You will need to write your own code, but only a line or two.total 88-rwxr-xr-x 1 root root 84824 Dec 16 16:47 isit42-rw-r--r-- 1 root root 654 Dec 15 19:59 isit42.c.unelf@b8bae6a2f81e:~$ ./isit42 Starting up ... cat isdone.Calling rand() to select a random number.2765 is not 42.elf@b8bae6a2f81e:~$ cat isit42.c.un #include <stdio.h>// DATA CORRUPTION ERROR// MUCH OF THIS CODE HAS BEEN LOST// FORTUNATELY, YOU DON'T NEED IT FOR THIS CHALLENGE// MAKE THE isit42 BINARY RETURN 42// YOU'LL NEED TO WRITE A SEPERATE C SOURCE TO WIN EVERY TIMEint getrand() { srand((unsigned int)time(NULL)); printf("Calling rand() to select a random number.\n"); // The prototype for rand is: int rand(void); return rand() % 4096; // returns a pseudo-random integer between 0 and 4096}int main() { sleep(3); int randnum = getrand(); if (randnum == 42) { printf("Yay!\n"); } else {
printf("Boo!\n"); } return randnum;}elf@b8bae6a2f81e:~$

elf@a0f6c1bdefff:~$ nano hack.celf@a0f6c1bdefff:~$ cat hack.c #include<stdio.h>int rand(){ return 42;}elf@a0f6c1bdefff:~$ gcc -c -fPIC hack.c -o hack.oelf@a0f6c1bdefff:~$ gcc hack.o -shared -o hack.soelf@a0f6c1bdefff:~$ export LD_PRELOAD=/home/elf/hack.soelf@a0f6c1bdefff:~$ ./isit42 Starting up ... done.Calling rand() to select a random number. .-. .;;\ || _______ __ __ _______ _______ __ _ _______ _ _ _______ ______ /::::\|/ | || | | || | | _ || | | || || | _ | || || _ | /::::'(); |_ _|| |_| || ___| | |_| || |_| || _____|| || || || ___|| | || |\/`\:_/`\/| | | | || |___ | || || |_____ | || |___ | |_||_ ,__ |0_..().._0| __, | | | || ___| | || _ ||_____ || || ___|| __ | \,`////""""\\\\`,/ | | | _ || |___ | _ || | | | _____| || _ || |___ | | | | | )//_ o o _\\( | |___| |__| |__||_______| |__| |__||_| |__||_______||__| |__||_______||___| |_| \/|(_) () (_)|\/ \ '()' / ______ _______ _______ ___ ___ __ __ ___ _______ _:.______.;_ | _ | | || _ || | | | | | | | | | | | /| | /`\/`\ | |\ | | || | ___|| |_| || | | | | |_| | | | | _____| / | | \_/\_/ | | \ | |_||_ | |___ | || | | | | | | | | |_____ / |o`""""""""`o| \ | __ || ___|| || |___ | |___ |_ _| | | |_____ | `.__/ () \__.' | | | || |___ | _ || || | | | | | _____| | | | ___ ___ | | |___| |_||_______||__| |__||_______||_______| |___| |___| |_______| / \|---| |---|/ \ | (|42 | () | DA|) | _ ___ _______ \ /;---' '---;\ / | | | || | `` \ ___ /\ ___ / `` | |_| ||____ | `| | | |` | | ____| | jgs | | | | |___ || ______| ___ _._ |\|\/||\/|/| _._ | || |_____ | | / .-\ |~~~~||~~~~| /-. \ |___||_______||___| | \__.' || '.__/ | `---------''---------` Congratulations! You've won, and have successfully completed this challenge.elf@a0f6c1bdefff:~$


Hope you had fun. I know there are tons of grammatical errors throughout my post. It is not intentional but my awful skill of writing. Sorry for tolerating it so long and in my next blog I will cover up the rest of the challenges. Thanks a lot for reading :)

Popular posts from this blog

KringleCon : Sans Holiday Hack 2018 Writeup

SANS HOLIDAY HACK 2018 Writeup , KRINGLECON The objectives  Orientation Challenge  Directory Browsing  de Bruijn Sequences  Data Repo Analysis  AD Privilege Discovery  Badge Manipulation  HR Incident Response  Network Traffic Forensics  Ransomware Recovery  Who Is Behind It All? First I go to Bushy Evergreen and try to solve the terminal challenge . Solving it is fairly easy , Escape_Key followed by  ":q" without quotes After this we move to the kiosk and solve the questions The question were based on the themes of previous Holiday Hack Challenges. Once we answer it correctly we get the flag. For this I visited Minty Candycane and I tried to solve the terminal challenge.  The application has command injection vulnerability , so injecting a system command with the server ip allows execution of the command. So first I perform an `ls` operation to list of the directory contents , followed by a cat of t
Read more

Linux Privilege Escalation : SUID Binaries

After my OSCP Lab days are over I decided to do a little research and learn more on Privilege Escalation as it is my weak area.So over some series of blog post I am going to share with you some information of what I have learnt so far. The methods mentioned over here are not my own. This is something what I have learnt by reading articles, blogs and solving CTFs SUID - Set User ID The binaries which has suid enabled, runs with elevated privileges. Suppose you are logged in as non root user, but this suid bit enabled binaries can run with root privileges. How does a SUID Bit enable binary looks like ? -r- s r-x---  1 hack-me-bak-cracked hack-me-bak         7160 Aug 11  2015 bak How to find all the SUID enabled binaries ? hack-me-bak2@challenge02:~$ find / -perm -u=s 2>/dev/null /bin/su /bin/fusermount /bin/umount /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/gpasswd /usr/bin/newgrp /usr/bin
Read more

Bluetooth Low Energy : Build, Recon,Enumerate and Attack !

Introduction In this post I will try to share some information on bluetooth low energy protocol. Bluetooth Low Energy ( BLE ) is Bluetooth 4.0.It has been widely used in creating "smart" devices like bulbs that can be controlled by mobile apps, or electrical switches that can be controlled by mobile apps. The terms Low Energy refers to multiple distinctive features that is operating on low power and lower data transfer. Code BLE Internals and Working The next thing what we need to know is a profile. Now every bluetooth device can be categorized based on certain specification which makes it easy. Here we will take a close look into two profiles of Bluetooth which is specifically designed for BLE. Generic Access Profile (GAP) - This profiles describes how two BLE devices defines discovery and establishment of connection with each other. There are two types of data payload that can be used. The Advertising Data Payload and Scan Response Payload . The GAP uses br
Read more