Posted on by and filed under D-CTF 2014.

####disclaimer:

this CTF involved a lot of guessing, and please note that other challenges were of far lower quality. reader beware.

To start this challenge, you had to solve Exploitation 300. 300 consisted of googling a public webapp vulnerability.

Once you’ve got a shell as the web user, you’ll see e4.hint in the root dir. This file prints You can't kill a ghost! where ghost is the name of a process that can be seen listening on a port with netstat -anop

Taking the name ghost we can run find / -name "ghost" to see that there are many temporary files on the system with the name ghost.pid.tmp but zero size. There is one that is a few kb in /tmp/. Pop this binary into IDA…

disasm from ghost

There’s a strcmp and two code paths immediately obvious. We don’t want it to say “GTFO,” so what is it printing out for the other path? Looking at the assembly, it shows references to the unicode(i.e., two bytes per character) string SUPERLINXJA plus an offset, so it’s building the string to output character by character.

Of course, SUPERLINUXNINJA is the flag. Thanks for the quality exploitation challenge, Defcamp 👍💯. (the intended solution was finding a way to read it from /proc/pid/mem even though it’s run as a different user, which is also not exploitation)