Note: If you're interested in actually doing these challenges, check out this post on
how to get the environment set up.
It’s no coincidence this challenge is called Terminal Situation, we have a
terminal sitting right in front of us.
help to see if it will give us a prompt.
We notice a command
auth which takes a password to authenticate as an
administrator. We also notice that using
ln is a privileged command,
which indicated we need to become an administrator.
Performing an “ls -h”, showing hidden files, reveals
The password for the authentication is going to be stored in
we have no way of reading files. We do, however, have a method of writing and
rm .passwd: Delete the passwd file so we can re-write it
log .passwd: Log the next commands output into .passwd
ls : This outputs
auth bin: Using our new password,
bin, we log in.
Okay so now we can fiddle around with the ln command. Lets take a look at
what’s in the
The only file we have write access to is id.sh. Lets see if we can write
arbitrary commands into it:
I’m not surprised. What if we create a symbolic link to the script and try log
Perfect. Now lets set up the command we want to run when we invoke
id. We can
write arbitrary commands using ls provided the file exists, so we create
the command we want:
Our command to write will be
bash<.flag. We now need to write this into the
And thanks to bash’s useful error messages, it prints out the flag for us.