rparodi/snow-crash
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
snow-crash/maiboyer/level00/README.md

77 lines
2 KiB
Markdown
Raw Permalink Blame History

# Level 00
## how to login
username: level00
password: level00
## Goal
run `getflag` as user `flag00`
## Actually doing something
When logging in, nothing to see
```sh
level00@SnowCrash:~$ ls -la .
total 12
dr-xr-x---+ 1 level00 level00 100 Mar 5 2016 .
d--x--x--x 1 root users 340 Aug 30 2015 ..
-r-xr-x---+ 1 level00 level00 220 Apr 3 2012 .bash_logout
-r-xr-x---+ 1 level00 level00 3518 Aug 30 2015 .bashrc
-r-xr-x---+ 1 level00 level00 675 Apr 3 2012 .profile
```
Trying to find anything to do:
```sh
level00@SnowCrash:~$ find / -user flag00 -print 2>/dev/null
/usr/sbin/john
/rofs/usr/sbin/john
```
The `/rofs` seems to be a read only version of the root (`/`), meaning that we dont really care about it
running `file` on `/usr/sbin/john` says that it is an ASCII file
lets open it
```bash
level00@SnowCrash:~$ cat /usr/sbin/john
cdiiddwpgswtgt
```
lets also confirm that the `/usr/sbin/john` and `/rofs/usr/sbin/john` is the same
```bash
level00@SnowCrash:~$ sha256sum /rofs/usr/sbin/john /usr/sbin/john
c36e744787ff060c5711ac4b5d06439a9f265169fb82946a8d1052f4a935103e /rofs/usr/sbin/john
c36e744787ff060c5711ac4b5d06439a9f265169fb82946a8d1052f4a935103e /usr/sbin/john
```
They are indeed the same. I have fiddled with the iso itself, and it uses a readonly filesytem to store everything,
so this seems to be how they still have some kind of "normal" system
We now have something that looks like it wants us poke at it (the text).
The file itself isn't executable (even if it is in `/usr/sbin/`)
Cyberchef is a nice tool to fiddle with random ciffers, so lets have fun :D
link: [https://cyberchef.org/](https://cyberchef.org/)
After having fun with the website, we can see that with a ROT11 (also named Caesar substitution), we find some english text:
```
nottoohardhere
```
is it the password of the user `flag00` ?
```bash
level00@SnowCrash:~$ su flag00
Password:
Don't forget to launch getflag !
flag00@SnowCrash:~$ getflag
Check flag.Here is your token : x24ti5gi3x0ol2eh4esiuxias
```
yes it is !
Reference in a new issue View git blame Copy permalink