Rating:
# Red Team Activity 4
- 381 Points / 109 Solves
## Background
Q4: Which binary (full path to binary) was _**modified**_ by redteam to _**later**_ escalate privileges?
Note: Flag format is `RS{MD5sum(<answer string>)}`
## Find the flag
**In this challenge, we can download a file:**
```shell
┌[siunam♥earth]-(~/ctf/RITSEC-CTF-2023/Forensics/Red-Team-Activity-4)-[2023.04.01|18:17:58(HKT)]
└> file auth.log
auth.log: ASCII text, with very long lines (1096)
```
As you can see, it's the `auth.log`, which is a Linux log file that stores **system authorization information, including user logins and authentication machinsm that were used.**
Since the challenge's question is asking for privilege escalation, we can try to find common privilege escalation techniques, like SUID binary, sudo permission, writeable `/etc/passwd` and more.
**After some searching, I found this:**
```shell
┌[siunam♥earth]-(~/ctf/RITSEC-CTF-2023/Forensics/Red-Team-Activity-4)-[2023.04.01|18:20:13(HKT)]
└> grep 'chmod' auth.log
[...]
Mar 25 21:15:32 ctf-1 snoopy[15105]: [login:ubuntu ssh:((undefined)) sid:14897 tty:/dev/pts/3 (0/root) uid:root(0)/root(0) cwd:/root]: chmod u+s /usr/bin/find
[...]
```
In here, ***the `/usr/bin/find` has added the SUID sticky bit***, and user can execute the binary as the owner. In this case, it's root.
**MD5 hash the answer:**
```shell
┌[siunam♥earth]-(~/ctf/RITSEC-CTF-2023/Forensics/Red-Team-Activity-4)-[2023.04.01|18:20:29(HKT)]
└> echo -n '/usr/bin/find' | md5sum
7fd5884f493f4aaf96abee286ee04120 -
```
- **Flag: `RS{7fd5884f493f4aaf96abee286ee04120}`**
