Category: pwn
Points: 150
First we’ll have to go to a web page to start our challenge session. The page will show us the port (same IP address with the web page) and the ID/password.
Once we connected to the remote host and login the machine, we’ll found that we’re inside a Slackware Linux:
1
2
3
4
5
6
7
8
9
10
11
$ nc 78.46.224.70 2323
Welcome to Linux 0.99pl12.
slack login: challenge
Password:challenge
Linux 0.99pl12. (Posix).
No mail.
slack:~$ uname -a
Linux slack 0.99.12 #6 Sun Aug 8 16:02:35 CDT 1993 i586
Later we’ll found that there’s a flag.txt inside the root directory:
1
2
slack:/$ ls -al /flag.txt
-r-------- 1 root root 36 Dec 27 1916 /flag.txt
Looks like we’ll need a local root exploit to capture the flag.
By googling “slackware linux 0.99 local root exploit”, we found a working PoC. Now all we need to do is copy the PoC to the remote host, then compile & execute the exploit so we can escalate to root.
Although it looks simple, it still took me a while to complete the challenge, since there’s no tool that can help us download the PoC to the host – no wget, no curl, not even nc!! And the vi editor is just terrible!! Finally I decided to use cat <<'EOF' >> test.c + copy & paste to write the exploit into test.c.
After we compile & execute the local root exploit, we’re able to escalate to root and get the flag:
1
2
3
4
5
6
7
8
9
slack:~$ gcc -o test test.c
slack:~$ ./test
[ Slackware linux 1.01 /usr/bin/lpr local root exploit
# id
id
uid=405(challenge) gid=1(other) euid=0(root) egid=18(lp)
# cat /flag.txt
cat /flag.txt
33C3_Th3_0x90s_w3r3_pre3tty_4w3s0m3
flag: 33C3_Th3_0x90s_w3r3_pre3tty_4w3s0m3
Comments powered by Disqus.