Create envil.md

This commit is contained in:
ARZ 2021-12-04 19:24:57 +05:00 committed by GitHub
parent e21a1358a5
commit a22b6ef139
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

52
echoCTF/envil.md Normal file
View file

@ -0,0 +1,52 @@
# echoCTF - Anvil
This is an OS category challenge in which we are provided an IP address and a port to conenct using `nc`
<img src="https://i.imgur.com/2yvvZOl.png"/>
We can find the first flag by printing the evnironmental variables using `env`
<img src="https://i.imgur.com/pZSPZEI.png"/>
## Privilege Escalation (silver)
Running `sudo -l` we can see that we are user `copper` and we can run `/sbin/debugfs` as `silver` user
<img src="https://i.imgur.com/yRvltDQ.png"/>
In this user's directory we can find the first flag
<img src="https://i.imgur.com/BjuWPg5.png"/>
## Privilege Escalation (gold)
Next we can again run sudo -l to see which commands we can run as other user and here we can run `/usr/bin/sftp` with `gold` user , now in order to escalate we need to have a ssh port running but here we can't open that port as we need root privileges so we can open ssh port on our host machine
<img src="https://i.imgur.com/KsP1RAz.png"/>
<img src="https://i.imgur.com/jWUGxFL.png"/>
<img src="https://i.imgur.com/R3bm2gU.png"/>
Following GTFOBINS we can spawn a bash shell
<img src="https://i.imgur.com/xTJtY8a.png"/>
<img src="https://i.imgur.com/u7fmZqU.png"/>
And in gold's home directory we can get the second flag.
## Privilege Escalation (ETSCTF)
Doing sudo -l again we can see that this user can run `/bin/bzless` as `ETSCTF` user
<img src="https://i.imgur.com/Xul6cMm.png"/>
bzless is similar to `less` binary but it's for viewing bzip2 compressed text so we can try to pass a filename to it and then privesc similar to less
<img src="https://i.imgur.com/uZ1ul2D.png"/>
<img src="https://i.imgur.com/EBAEmwP.png"/>
<img src="https://i.imgur.com/uIBSEoD.png"/>
<img src="https://i.imgur.com/ecmDVEt.png"/>