this CTF involved a lot of guessing, and please note that other challenges were of far lower quality. reader beware.
To start this challenge, you had to solve Exploitation 300. 300 consisted of googling a public webapp vulnerability.
Once you’ve got a shell as the web user, you’ll see
e4.hint in the root dir. This file prints
You can't kill a ghost! where
ghost is the name of a process that can be seen listening on a port with
Taking the name
ghost we can run
find / -name "*ghost"* to see that there are many temporary files on the system with the name
ghost.pid.tmp but zero size. There is one that is a few kb in /tmp/. Pop this binary into IDA…
There’s a strcmp and two code paths immediately obvious. We don’t want it to say “GTFO,” so what is it printing out for the other path? Looking at the assembly, it shows references to the unicode(i.e., two bytes per character) string
SUPERLINXJA plus an offset, so it’s building the string to output character by character.
SUPERLINUXNINJA is the flag. Thanks for the quality exploitation challenge, Defcamp
/proc/pid/mem even though it’s run as a different user, which is also not exploitation)