| .. | ||
| flag | ||
| passwd | ||
| README.md | ||
Level 00
how to login
username: level00
password: level00
Goal
run getflag as user flag00
Actually doing something
When logging in, nothing to see
level00@SnowCrash:~$ ls -la .
total 12
dr-xr-x---+ 1 level00 level00 100 Mar 5 2016 .
d--x--x--x 1 root users 340 Aug 30 2015 ..
-r-xr-x---+ 1 level00 level00 220 Apr 3 2012 .bash_logout
-r-xr-x---+ 1 level00 level00 3518 Aug 30 2015 .bashrc
-r-xr-x---+ 1 level00 level00 675 Apr 3 2012 .profile
Trying to find anything to do:
level00@SnowCrash:~$ find / -user flag00 -print 2>/dev/null
/usr/sbin/john
/rofs/usr/sbin/john
The /rofs seems to be a read only version of the root (/), meaning that we dont really care about it
running file on /usr/sbin/john says that it is an ASCII file
lets open it
level00@SnowCrash:~$ cat /usr/sbin/john
cdiiddwpgswtgt
lets also confirm that the /usr/sbin/john and /rofs/usr/sbin/john is the same
level00@SnowCrash:~$ sha256sum /rofs/usr/sbin/john /usr/sbin/john
c36e744787ff060c5711ac4b5d06439a9f265169fb82946a8d1052f4a935103e /rofs/usr/sbin/john
c36e744787ff060c5711ac4b5d06439a9f265169fb82946a8d1052f4a935103e /usr/sbin/john
They are indeed the same. I have fiddled with the iso itself, and it uses a readonly filesytem to store everything, so this seems to be how they still have some kind of "normal" system
We now have something that looks like it wants us poke at it (the text).
The file itself isn't executable (even if it is in /usr/sbin/)
Cyberchef is a nice tool to fiddle with random ciffers, so lets have fun :D link: https://cyberchef.org/
After having fun with the website, we can see that with a ROT11 (also named Caesar substitution), we find some english text:
nottoohardhere
is it the password of the user flag00 ?
level00@SnowCrash:~$ su flag00
Password:
Don't forget to launch getflag !
flag00@SnowCrash:~$ getflag
Check flag.Here is your token : x24ti5gi3x0ol2eh4esiuxias
yes it is !