BSides Canberra 2018 CTF Write-Up: Rhadinesthes

This is a write-up of the Rhadinesthes challenge from the BSides Canberra 2018 CTF. This challenge was worth 100 points.

Clue — Wobbly legs if you tail too close, the run-down is using a Moroccan past-time you’ll get your answer.

When we got this challenge we first spent a lot of time trying to research Moroccan past times involving camels (wobbly legs). Needless to say, this didn’t get us anywhere. However, there was a file called flag.txt— so after a while we looked at the information about the owner of the file, leading us to the password hash, and ultimately cracking the hash to retrieve the password allowing access to the file.

Here are the steps we followed.

1. SSH’d into the server which hosts the challenge.

2. Changed to the directory containing the challenge — in this case: /challenges/rhadinesthes/. Within this folder was a file called flag.txtwhich could not be opened or accessed due to the set permissions.

3. Ran ls -la to show a detailed view of the files in the directory.

Took note of the flag3 group that owns flag.txt.

4. Opened the file /etc/passwd. This stores account details for all users on the system. By default, passwords are usually not stored in the passwd file but are instead stored in hashed form in the /etc/shadowfile.

The first column stores usernames, and the second column stores the password. As the actual passwords are stored in /etc/shadow a placeholder xis usually present in that column instead.

However, there is a flag3 user that seemed to have a hashed password stored in the password column instead of the placeholder.

5. We copied the hash and then needed to figure out a way to crack that into plaintext format. We decided used John the Ripper, with the wordlist rockyou.txt, which is built in to Kali Linux.

6. To do this, we created a file and put the hashed password into it.

7. We then ran this in John the Ripper against the rockyou.txt wordlist using:john <name of file> — wordlist=/usr/share/wordlists/rockyou.txt

8. John then went to work cracking the hash. While John was working, you could press any key to check the status of the command. After a while it displayed besides as a possible password.

9. We then SSHed into the flag3 user on the server using the password besides

10. Finally, we went back into the /challenges/rhadinesthes/directory, opened flag.txt, and got the flag.

Thanks to the team at Elttam for a fun challenge which taught us something new!