This Room will help you to sharpen your Linux Skills and help you to learn basic privilege escalation in a HITMAN theme. So, pack your briefcase and grab your SilverBallers as its gonna be a tough ride.
ssh into the machine
ssh [email protected]
640509040147
after login, i get the mission1 flag
or you can do with cat .ssh/rc
su mission1
mission1{174dc8f191bcbb161fe25f8a5b58d1f0}
very easy
su mission2
mission2{8a1b68bb11e4a35245061656b5b9fa0d}
do the same
su mission3
mission3{ab1e1ae5cba688340825103f70b0f976}
this time is a message for us
after some stuck, i see flag is hidden in the file with non-printable characters
cat -v flag.txt
su mission4
mission4{264a7eeb920f80b3ee9665fafb7ff92d}
easy too
su mission5
mission5{bc67906710c3a376bcc7bd25978f62c0}
hidden file
su mission6
mission6{1fa67e1adc244b5c6ea711f0c9675fde}
the same
su mission7
mission7{53fd6b2bad6e85519c7403267225def5}
we don't have permisson on our home
cd out and cd again to get flag
su mission8
mission8{3bee25ebda7fe7dc0a9d2f481d10577b}
the flag on / is own by mission8
cat /flag.txt
su mission9
mission9{ba1069363d182e1c114bef7521c898f5}
grep flag from the file in our home
su mission10
mission10{0c9d1c7c5683a1a29b05bb67856524b6}
find reverse
grep -r mission11 . 2>/dev/null
su mission11
mission11{db074d9b68f06246944b991d433180c0}
you can find the flag in cat .bashrc
or export the env variables
su mission12
mission12{f449a1d33d6edc327354635967f9a720}
we need add permission before read
su mission13
mission13{076124e360406b4c98ecefddd13ddb1f}
decode base64
su mission14
mission14{d598de95639514b9941507617b9e54d2}
binary decode with cyberchef
su mission15
mission15{fc4915d818bfaeff01185c3547f25596}
cyberchef decode from hex
su mission16
mission16{884417d40033c4c2091b44d7c26a908e}
it's an executable file, run it
su mission17
mission17{49f8d1348a1053e221dfe7ff99f5cbf4}
compile the jave file
su mission18
mission18{f09760649986b489cda320ab5f7917e8}
it's a ruby file
su mission19
mission19{a0bf41f56b3ac622d808f7a4385254b7}
compile c file
su mission20
mission20{b0482f9e90c8ad2421bf4353cd8eae1c}
and python run
su mission21
mission21{7de756aabc528b446f6eb38419318f0c}
our shell was /bin/sh, spawn a bash to get flag
su mission22
mission22{24caa74eb0889ed6a2e6984b42d49aaf}
now, spawn bash from our python shell with import pty;pty.spawn("/bin/bash")
su mission23
mission23{3710b9cb185282e3f61d2fd8b1b4ffea}
we have a message
check host file and get flag from website
su mission24
mission24{dbaeb06591a7fd6230407df3a947b89c}
we have an executable file here
let's inspect it with ltrace ./bribe
you see it take 2 env variables, test some
export pocket=100
ltrace ./bribe
it use strcmp, pocket variables must equal "money"
export pocket=money
./bribe
su mission25
mission25{61b93637881c87c71f220033b22a921b}
we don't have actual means of anything (even can't su)
so i just exit back to mission24 to get normal user path
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
now, we can
su mission26
mission26{cb6ce977c16c57f509e9f8462a120f00}
we get an image, but can't open, get strings
su mission27
mission27{444d29b932124a48e7dddc0595788f4d}
something too long
su mission28
mission28{03556f8ca983ef4dc26d2055aef9770f}
this time, we are in ruby shell, spawn a bash exec '/bin/bash'
looks like that are in reverse
su mission29
mission29{8192b05d8b12632586e25be74da2fff1}
do a bit grep
grep -r mission30 . 2>/dev/null
su mission30
mission30{d25b4c9fac38411d2fcb4796171bda6e}
read the git log
now, login to viktor and ready for some escalation
su viktor
viktor{b52c60124c0f8f85fe647021122b3d9a}
| Flag | root.txt |
|---|---|
| Answer |