Lost and Found part 1 (PHD 2014 Quals)

Captain Obvious is captured in Detcelfer server. He managed to get the flag, but he lost his mind before he could send it to you. Your mission is to find it. Don’t worry, Captain has left you some clues.
ssh://task:rhythm*postal!Nile@195.133.87.166


No comments, only bash 🙂

===============================================================
Tango to Foxtrot, Tango to Foxtrot!
This is Captain Obvious.

I tried to fight with Deatcelfer ... but I failed.
Now I'm prisoned here and can't help my dear humanity.

But I've found some secret here, some of his dirty secrets.
Grab it and avenge for me.
Can't say exactly because I'm watched.
Hope you are UNIX gurus and manage to find what I mean.
Look around you and see my hint. It may lead you to the reveal.
===============================================================

bash-4.1$ export
declare -x CAPHINT1="/usr/local/task/4ed979753715fe903eec0b517cd1a556"
declare -x G_BROKEN_FILENAMES="1"
declare -x HISTCONTROL="ignoredups"
declare -x HISTSIZE="1000"
declare -x HOME="/home/task"
declare -x HOSTNAME="c6-ctf"
...

bash-4.1$ cat /usr/local/task/4ed979753715fe903eec0b517cd1a556
cat: /usr/local/task/4ed979753715fe903eec0b517cd1a556: Permission denied

bash-4.1$ ls -la /usr/local/task/4ed979753715fe903eec0b517cd1a556
-rw-------+ 1 root root 395 Feb 1 18:15 /usr/local/task/4ed979753715fe903eec0b517cd1a556

bash-4.1$ getfacl /usr/local/task/4ed979753715fe903eec0b517cd1a556
getfacl: Removing leading '/' from absolute path names
# file: usr/local/task/4ed979753715fe903eec0b517cd1a556
# owner: root
# group: root
user::rw-
user:task:r-- #effective:---
group::---
mask::---
other::---

bash-4.1$ sudo -l
Matching Defaults entries for task on this host:
!visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User task may run the following commands on this host:
(ALL) NOPASSWD: /var/lib/yum/yumdb/c/captain1 *
(ALL) NOPASSWD: /bin/rm -f /home/task/.bashrc
(ALL) NOPASSWD: /usr/bin/setfacl -m u\:task\:r /usr/local/task/[a-zA-Z0-9]*, (ALL) !/usr/bin/setfacl -m [a-z\:]* /usr/local/task/[a-zA-Z0-9]* *

bash-4.1$ sudo setfacl -m u:task:r /usr/local/task/4ed979753715fe903eec0b517cd1a556; cat /usr/local/task/4ed979753715fe903eec0b517cd1a556
Hey, I have something for you
FLAG:ef2e911df1c0f4254135cc70cb8a5c84
Take it and do not miss
But Detcelfer virtually ruined my mind
Everyday I often send a message...
But is seems like throwing a bottle in the ocean
I forgot what and where I send
Look here:
/var/cache/man/cap1 ... /var/cache/man/cap6
That's all I remember. It may be dealt with networks.
Sincerely, your CAP... CAP... CAP...

Leave a Comment

Your email address will not be published.

Лимит времени истёк. Пожалуйста, перезагрузите CAPTCHA.