Bad Words
When deploying the challenge container we get a server instance that we can connect to using netcat.
After connecting we get a shell , i started off with some regular enumeration to see what files are present however none of the commands worked and i received weird error messages.
Now my immediate thought was to try and spawn a new shell with /bin/bash and to my surprise it actually worked…
Jed Sheeran
Description:
Oh we have another fan with a budding music career! Jed Sheeran is seemingly trying to produce new songs based off of his number one favorite artist… but it doesn’t all sound so good. Can you find him?
So almost always when doing osint i start off with a basic google search.
The Description gave the hint that Jed is working on some new music so soundcloud seems like a fitting place to find out more about him!
We can see that he has one tracked released that plays morse code like sounds however that isn’t the solution. When clicking on the song maybe we can see a description and more information…
Aaaaand we can see more information as well as the flag!
Shelle
Description: Professor Shelle created a custom psuedo shell for us to learn Linux, she believes it’s safe and no one can ever read the flag. Can you prove her wrong?
After connecting to the Server we are greated with a little text explaining that we are in a limited shell that is supposed to help us learn about basic linux functionality.
We can use “help” to get a list of commands available to us.
Okay so lets use them to do some really basic enumeration.
I didn’t use all commands but you get the idea of what we got here. In the assignment.txt we find out that the flag is in /opt/flag.txt and a bunch of explanations for the available commands as well as some basic linux questions which both aren’t really relevant for us so i will save you from reading it :))
When trying to read the flag we receive an odd error message stating that we are not allowed to use “/” So i decided to try a bunch of special chars.
I figured that \ and $ are still working. My first attepmt was to try and use \ instead of / but that didn’t work out. So the $ implies that we should be able to still use system variables which often contain paths and we might be able to use that for our advantage! Now using the “export” command i listed some of the variables.
And it worked!
Now we can see the declare command on the side which i haven’t seen so far and i tried running that… and I got more then i expected!
The first variable is BASH and it refers to /bin/bash which is exactly what we need to break out of the limited shell!
Now we hav an unrestricted shell and can grab the flag!