ctf-writeup/RITSEC CTF 2023/Red Team Activity 4
daffainfo 9325852d3a feat: added TSG CTF 2023 2023-11-05 15:59:14 +07:00
..
images feat: added RITSEC CTF 2023 2023-04-02 23:09:27 +07:00
README.md feat: added TSG CTF 2023 2023-11-05 15:59:14 +07:00
auth.log feat: added RITSEC CTF 2023 2023-04-02 23:09:27 +07:00

README.md

Red Team Activity 4

Q4: Which binary (full path to binary) was modified by redteam to later escalate privileges?

Note: Flag format is RS{MD5sum()}

About the Challenge

We were given a log file (You can download the file here) and we need to find the binary files to do privilege escalation

How to Solve?

To do this, I attempted to search the log file using the keyword su redteam to find the redteam user first

redteam

As you can see before redteam user became root that user running this command

find . -exec /bin/sh -p ; quit

If we check on GTFOBins. That command used to spawn shell or to do privilege escalation. Before root user login to as redteam that user change the SUID permission so non-root user such as redteam can use that file to do privilege escalation

suid

Hash the binary name using md5sum. Here is the command

echo -n /usr/bin/find | md5sum

And then wrap the output with RS{.*}

RS{7fd5884f493f4aaf96abee286ee04120}