FourAndSix:2 CTF

Last time when I tried CTF from series prepared by Fred Wemeijer it was "4n6 - part 1". This time we will check 2nd VM - FourAndSix:2. Here we go...
We will start here:

Cool, OpenBSD again. Let's check for open ports:

Checking if there will be the same bug as it was before:

Unfortunately no. But I found backup.7z file. Checking:

Great, so I used bash command to (try to) extract the content of the archive:
$ for pwd in `cat /path/to/rockyou.txt'; do 7z x backup.7zip -p $pwd; done

... you should be somewhere here:

Still nope. Checking with another file from /usr/share/wordlists:

Now we are here:

Great, there are new files:

Checking:

Checking:

Hm... did I miss something...?

Again:

Great, we're in!

After some basic enumeration I tried to locate possible suidfiles (saved to /tmp/filename):

$ whatis doas:

 Checking hints from Google:

More hints from github source code:

So:

Ok. After a while I got the idea what should be done here...

Checking:

Nope. Next I decided to use less command mentioned with authlog file (then press 'v' to go to visual mode). As you can see you can see some difference ;]

To escape from less-mode I started (in less) /usr/bin/vi. Then I used it to run sh and grab the final flag:

Very cool CTF. It was nice to play it (as well as part1) :)

Big thanks goes to Fred Wemeijer for preparing those VM's.
Also bit thanks goes to the VulnHub Team for sharing all of those games.

See you next time!

Cheers