Rating: 4.0
# Chm0d
## Background
Catch-22: a problematic situation for which the only solution is denied by a circumstance inherent in the problem.
Credentials: `user:password123`
> Deploy on [deploy.heroctf.fr](https://deploy.heroctf.fr/)
Format : **Hero{flag}**
Author : **Alol**
## Enumeration
**In this challenge, we can SSH into `user`:**
```shell
┌[siunam♥earth]-(~/ctf/HeroCTF-v5/System/Chm0d)-[2023.05.13|15:31:37(HKT)]
└> ssh user@dyn-01.heroctf.fr -p 10937
[...]
user@dyn-01.heroctf.fr's password:
[...]
user@abd21caf673f9e58806b515153437124:~$ whoami;hostname;id
user
abd21caf673f9e58806b515153437124
uid=1000(user) gid=1000(user) groups=1000(user)
```
**In `/`, we can see there's a `flag.txt`:**
```shell
user@abd21caf673f9e58806b515153437124:~$ ls -lah /flag.txt
---------- 1 user user 40 May 12 11:43 /flag.txt
```
However, it's permission is set to nothing (`----------`).
**Hmm... Can we use the `chmod` binary to change it's permission?**
```shell
user@abd21caf673f9e58806b515153437124:~$ ls -lah /bin/chmod
---------- 1 root root 63K Sep 24 2020 /bin/chmod
```
Uhh... What? We can't use `/bin/chmod`...
Now, I wonder if we can **transfer the `chmod` binary...**
However, I tried to find a static version of `chmod` or trying to get `busybox` to the instance machine, no dice...
**After fumbling around, I started to search: "linux chmod alternative", and I found [this StackExchange](https://unix.stackexchange.com/questions/83862/how-to-chmod-without-usr-bin-chmod) post:**
**Ah ha! Does `perl` exist in the instance machine?**
```shell
user@66282c22a4a04940a6f4bc1fbf3923e8:~$ which perl
/usr/bin/perl
```
It does!
**Let's change the `/flag.txt` file permission using `perl`!**
```shell
user@66282c22a4a04940a6f4bc1fbf3923e8:~$ perl -e 'chmod 0755, "/flag.txt"'
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LANG = "en_US.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
user@66282c22a4a04940a6f4bc1fbf3923e8:~$ ls -lah /flag.txt
-rwxr-xr-x 1 user user 40 May 12 11:44 /flag.txt
```
Nice!! We can now read the flag!
```shell
user@66282c22a4a04940a6f4bc1fbf3923e8:~$ cat /flag.txt
Hero{chmod_1337_would_have_been_easier}
```
- **Flag: `Hero{chmod_1337_would_have_been_easier}`**
## Conclusion
What we've learned:
1. Modifiying File Permission Using Perl