First we’ll have to go to a web page to start our challenge session. The page will show us the port (same IP address with the web page) and the ID/password.
Once we connected to the remote host and login the machine, we’ll found that we’re inside a Slackware Linux:
1 2 3 4 5 6 7 8 9 10 11 $ nc 22.214.171.124 2323 Welcome to Linux 0.99pl12. slack login: challenge Password:challenge Linux 0.99pl12. (Posix). No mail. slack:~$ uname -a Linux slack 0.99.12 #6 Sun Aug 8 16:02:35 CDT 1993 i586
Later we’ll found that there’s a
flag.txt inside the root directory:
1 2 slack:/$ ls -al /flag.txt -r-------- 1 root root 36 Dec 27 1916 /flag.txt
Looks like we’ll need a local root exploit to capture the flag.
By googling “slackware linux 0.99 local root exploit”, we found a working PoC. Now all we need to do is copy the PoC to the remote host, then compile & execute the exploit so we can escalate to root.
Although it looks simple, it still took me a while to complete the challenge, since there’s no tool that can help us download the PoC to the host – no
curl, not even
nc!! And the
vi editor is just terrible!! Finally I decided to use
cat <<'EOF' >> test.c + copy & paste to write the exploit into
After we compile & execute the local root exploit, we’re able to escalate to root and get the flag:
1 2 3 4 5 6 7 8 9 slack:~$ gcc -o test test.c slack:~$ ./test [ Slackware linux 1.01 /usr/bin/lpr local root exploit # id id uid=405(challenge) gid=1(other) euid=0(root) egid=18(lp) # cat /flag.txt cat /flag.txt 33C3_Th3_0x90s_w3r3_pre3tty_4w3s0m3