BSides Canberra 2018 CTF Write-Up: Pedantiism

This is a write-up of the Pedantiism challenge from the BSides Canberra 2018 CTF. This challenge was worth 150 points.

This was the second Linux/binary challenge and involved nmap and permission bypassing.

Firstly, we needed to SSH into the challenge server: ssh://skid.libctf.so

The main priority was discovering who owned the file flag.txt. so we could figure out what permissions were necessary to access the file. In this case, flag.txt was owned by root and the group was called flag2.

Looking around in all the usual places, such as /etc/passwd, there didn’t seem to be a way to access/exploit into an account which was a member of the flag2 group — so we had to look for a different way.

Doing some Googling around it seems that sometimes common utilities might be installed on the system using special privileges, such as root via setuid/setgid. This allows the executable, when run, to have the effective privileges of either the owning user or group. In this case, if we could find an executable which had the setuid or setgid bit set then it would effectively run as either the root user or flag2 group.

As it turns out, the nmap utility was installed on the system with the setgid set to flag2 — giving it permission to read the flag.txt file. If we could get nmap to read the flag.txt file, and somehow spit out its contents, then we would likely have the flag.

As it turns out, nmap can read network targets from a file — so we tried feeding nmap with the flag.txt file using the following command:

nmap -iL flag.txt

Obviously nmap failed reading the file, since it is certainly not a valid network target file, but in doing so output the contents of the file (to prove it was invalid) revealing the flag!

Thanks to Elttam for this challenge which certainly made us think outside of the box!