Here we go - machine is ready:
I love you Margo :* (almost...) so what's next?
Let's some what's inside eugene's directory:
At this stage I couldn't find anythine 'more interesting' so I decided to check if there is any sudo (bug;]). I found that margo can use sudo with convert... as far as I'm concerne it reminds me the bug in ImageMagic... let's go this way:
Ok, you should see it now but just to be sure:
As you can see below I tried few things... ;]
Then I realized that I'm a root-user (but with one shot as a command). Ok, I can run netcat and send /etc/shadow (root will have access to that file, right?) to the listening port. Ok, then I connected to that port from Kali (and shadow was grabbed), see below:
So "you wanna one of those Gibson's baby?" :>
Great, we've found new passwords!
When you will check new accounts, you will quickly see that there is also some sudo setting for eugene. Let's try to "use" it (to escalate to root):
I assume that you remember that you can run shell commands from programs like nmap, vi, gdb and so on... It's good to know that because in case of so called 'restricted shells' (for example during CTF's competitons) you can sometimes use 'the trick' and grab the flag/shell anyway. Like I did below:
Let's findout where are the files for our ftpserv:
I was playing a little bit with the IMG file
So it looks like we don't need to crash sda ;] just use desktop environment. Here we are:
Maybe binwalk will help us:
(By the way, did you saw davinci.c code?
Let's try to open our GPG file:
I didn't know the password so I decided to go back to our hint.txt. We will find 2 links to 2 movies with the same actor - zerok00l ;)
(According to our hint then) next step was to prepare a good password list to crack that gpg. I used crunch described here:
just like before, after a while ...
... we should be able to read the content of the file:
This was very nice CTF. Big thanks goes (again) to the knightmare.
If you are looking for more CTF-machines - check the VulnHub resources.
See you next time...