AUCTF20 Bash

This write-up contains 5 challenges that builds on top of each other.

Bash 1

Problem

SSH into the server

ssh challenges.auctf.com -p 30040 -l level1

password: aubie

Solution

$ ssh challenges.auctf.com -p 30040 -l level1
[email protected]'s password:
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)
< REDACTED >
$ ls -al
total 24
dr-xr-xr-x 1 root   root   4096 Apr  5 03:19 .
drwxr-xr-x 1 root   root   4096 Apr  4 22:16 ..
-rw-r--r-- 1 level1 level1  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 level1 level1 3771 Apr  4  2018 .bashrc
-rw-r--r-- 1 level1 level1  807 Apr  4  2018 .profile
-rw-rw-r-- 1 root   root     24 Apr  1 21:25 README
$ cat README
auctf{W3lcoM3_2_da_C7F}

Flag

auctf{W3lcoM3_2_da_C7F}

Bash 2

Problem

SSH into the server

ssh challenges.auctf.com -p 30040 -l level2

password is the flag of the previous Bash challenge

Solution

$ ls -al
total 28
dr-xr-xr-x 1 root   root   4096 Apr  5 03:19 .
drwxr-xr-x 1 root   root   4096 Apr  4 22:16 ..
-rw-r--r-- 1 level2 level2  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 level2 level2 3771 Apr  4  2018 .bashrc
-rw-r--r-- 1 level2 level2  807 Apr  4  2018 .profile
-r--r----- 1 level3 level3   22 Apr  1 21:25 flag.txt
-r-xr-x--- 1 level3 level2  110 Apr  1 21:25 random_dirs.sh
$ cat flag.txt
cat: flag.txt: Permission denied
$ cat random_dirs.sh
#!/bin/bash

x=$RANDOM

base64 flag.txt > /tmp/$x
function finish {
        rm  /tmp/$x
}
trap finish EXIT

sleep 15

The flag is owned by user level3 and is in group level2, which is the group of my user. The flag is only readable by user level3.

The bash script under the correct user will be able to read the flag and place it into a worldwide readable file in /tmp.

Let's take a snapshot of the /tmp directory:

$ ls /tmp/
111  12  12183  3865  alf.sh  flag.txt  hello  hi  passcodes.sh  prova.sh

Let's run the script and throw it into the background:

$ sudo -u level3 ./random_dirs.sh
^Z[2] + Stopped                    sudo -u level3 ./random_dirs.sh

Let's view /tmp to see if any files were added:

$ ls /tmp/
111  12  12183  3865  8037  alf.sh  flag.txt  hello  hi  passcodes.sh  prova.sh
$ cat /tmp/8037
YXVjdGZ7ZzB0dEBfbXV2X2Zhczd9Cg==

It's a base64 string:

$ cat /tmp/8037 | base64 -d
auctf{[email protected]_muv_fas7}

Flag

auctf{[email protected]_muv_fas7}

Bash 3

Problem

SSH into the server

ssh challenges.auctf.com -p 30040 -l level3

password is the flag to the previous Bash challenge

Solution

$ ls -al
total 28
dr-xr-xr-x 1 root   root   4096 Apr  5 03:19 .
drwxr-xr-x 1 root   root   4096 Apr  4 22:16 ..
-rw-r--r-- 1 level3 level3  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 level3 level3 3771 Apr  4  2018 .bashrc
-rw-r--r-- 1 level3 level3  807 Apr  4  2018 .profile
-r--r----- 1 level4 level4   30 Apr  1 21:25 flag.txt
-r-xr-x--- 1 level4 level3  179 Apr  1 21:25 passcodes.sh
$ cat passcodes.sh
#!/bin/bash

x=$RANDOM
echo "Input the random number."
read input

if [[ "$input" -eq "$x" ]]
then
        echo "AWESOME sauce"
        cat flag.txt
else
        echo "$input"
        echo "$x try again"
fi

Similar file structure to last time. The script tries to ask you to guess a random number.

Bruteforce:

$ bash -c 'for i in {0..30000}; do echo i | sudo -u level4 ./passcodes.sh; done | grep -e "AWESOME" -e "auctf"'
# 5 minute later after brute forcing with fingers crossed there is an overlap
auctf{wut_r_d33z_RaNdom_numz}

Flag

auctf{wut_r_d33z_RaNdom_numz}

Bash 4

Problem

SSH into the server

ssh challenges.auctf.com -p 30040 -l level4

Solution

$ ls -al
total 28
dr-xr-xr-x 1 root   root   4096 Apr  5 03:19 .
drwxr-xr-x 1 root   root   4096 Apr  4 22:16 ..
-rw-r--r-- 1 level4 level4  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 level4 level4 3771 Apr  4  2018 .bashrc
-rw-r--r-- 1 level4 level4  807 Apr  4  2018 .profile
-r--r----- 1 level5 level5   25 Apr  1 21:25 flag.txt
-r-xr-x--- 1 level5 level4  209 Apr  1 21:25 print_file.sh
$ cat print_file.sh
#!/bin/bash

if [ ! -z "[email protected]" ]
then
        cat [email protected] # 2>/dev/null
        # if [ ! $? -eq 0 ]
        # then
        #       echo "Printing error. Check file permissions"
        # fi
else
        echo "Please enter a file."
        echo "./print_file FILENAME"
fi
$ sudo -u level5 ./print_file.sh flag.txt
auctf{FunKy_P3rm1ssi0nZ}

Nothing new here.

Flag

auctf{FunKy_P3rm1ssi0nZ}

Bash 5

Problem

ssh challenges.auctf.com -p 30040 -l level5

password is the previous Bash challenge flag

Solution

$ ls -al
total 28
dr-xr-xr-x 1 root   root   4096 Apr  5 03:19 .
drwxr-xr-x 1 root   root   4096 Apr  4 22:16 ..
-rw-r--r-- 1 level5 level5  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 level5 level5 3771 Apr  4  2018 .bashrc
-rw-r--r-- 1 level5 level5  807 Apr  4  2018 .profile
-r--r----- 1 root   root     23 Apr  1 21:25 flag.txt
-r-xr-x--- 1 root   level5  137 Apr  1 21:25 portforce.sh
$ cat portforce.sh
#!/bin/bash

x=$(shuf -i 1024-65500 -n 1)
echo "Guess the listening port"
input=$(nc -lp $x)
echo "That was easy right? :)"
cat flag.txt

It seems like the script opens netcat listener and waits for it to close before printing the flag. Let's verify:

$ sudo -u root ./portforce.sh
Guess the listening port

It hangs there. We need to determine the port it's listening on.

The command ps -ef will show all running commands:

$ echo $$
13413
$ ps -ef | grep -e $$
level5   13413 13289  0 22:48 pts/23   00:00:00 -sh
level5   27145 13413  0 22:51 pts/23   00:00:00 ps -ef
level5   27146 13413  0 22:51 pts/23   00:00:00 grep -e 13413

Great, so let's open a second window and run the listener, then run the same command above again but filter for nc instead of the UID.

$ ps -ef | grep -e "nc"
level5    8866 19459  0 22:46 pts/3    00:00:00 nc localhost 23862
level5   12703 12692  0 22:51 pts/5    00:00:00 nc -lp 3830
level5   17378 17373  0 22:51 pts/19   00:00:00 nc -lp 54316
level5   19271 13413  0 22:52 pts/23   00:00:00 grep -e nc
root     30322 30307  0 22:52 pts/22   00:00:00 nc -lp 13177
level5   32391 32386  0 22:49 pts/25   00:00:00 nc -lp 64438
$ nc localhost 13177
^C

It's port 13177 this time. Let's go back to the netcat listener window. Looks like it exited:

$ sudo -u root ./portforce.sh
Guess the listening port
That was easy right? :)
auctf{[email protected]_purt_$can}

Flag

auctf{[email protected]_purt_$can}