RingZer0team CTF - Challenge 148

Posted on Sat 27 May 2017 in Security

There are a bunch of fantastic Capture The Flag security challenges on RingZer0Team.com. I've been working through some of these for a wee while now, and with the New Zealand Cyber Security Challenge coming up again soon, I thought I'd get back into some of them.

Challenge 148 ("Sysadmin Linux Level 2") is one of a series of challenges where you're trying to breach the security of a Linux system. I actually finished most of these last year, but I wanted to finish my last two. Of course, to get to the last two stages, you need to use the flags from the previous stages. So I'm revisiting them.

We start by SSH'ing into a particular user account on the ringzer0team server:

You have mail. Last login: Thu Apr 27 02:52:40 2017 from morpheus@forensics:~$

There's only one file in the home folder, and I can't read it. There's a /home/trinity folder with full read access, but also nothing legible.

Running ps aux reveals what appears to be Trinity's password:

root 3241 0.0 0.0 4188 572 ? S Jan14 1:44 /bin/sh /root/backup.sh -u trinity -p Flag-

Aha, and /etc/fstab contains what appears to be The Architect's password, in base64:

/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0 /dev/fd0 /media/floppy0 auto rw,user,noauto 0 0 #//TheMAtrix/phone /media/Matrix cifs username=architect,password=$(base64 -d ""),iocharset=utf8,sec=ntlm 0 0

Great! Now I can carry on to my actual goal, which was to nail challenge 91 ("Sysadmin Linux Level 7")!