{"id":138,"date":"2022-12-06T01:02:39","date_gmt":"2022-12-06T01:02:39","guid":{"rendered":"https:\/\/blogs.oregonstate.edu\/paul\/?p=138"},"modified":"2022-12-06T01:02:39","modified_gmt":"2022-12-06T01:02:39","slug":"writeup-no_util","status":"publish","type":"post","link":"https:\/\/blogs.oregonstate.edu\/paul\/2022\/12\/06\/writeup-no_util\/","title":{"rendered":"Writeup: no_util"},"content":{"rendered":"\n<p>Our first misc challenge! This one felt reminiscent of overthewire&#8217;s Bandit series, which are a good introduction to the command line.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GNU Coreutils are too bloated.\nThat's why minimalists use Busybox.\nBut the TRUE masters don't even need that.\n\nflag.txt is around here somewhere ~_~\nbut I lost it in this cluttered filesystem o_o\ncan you help me find it? UwU\n\n^-^ ls\nbash: ls: command not found<\/code><\/pre>\n\n\n\n<p>So, we&#8217;ve got nothing to work with besides bash builtins. This is gonna be hard! We unfortunately can&#8217;t mount the filesystem remotely, as the machine we ssh to isn&#8217;t the machine that the challenge is located on. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sshfs noutil@chal.ctf-league.osusec.org:\/ ~\/temp\nnoutil@chal.ctf-league.osusec.org's password: \nremote host has disconnected<\/code><\/pre>\n\n\n\n<p>So! What do we have access to? Tab completion, for loops, echo, cd, variables, globbing, and functions. We can use these bash builtins to build some functionality that might be helpful.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>^-^ cd \/\n^-^ echo *\nbin dev etc home lib media mnt opt proc root run sbin srv sys tmp usr var<\/code><\/pre>\n\n\n\n<p>OK, so <code>echo *<\/code> is basically <code>ls<\/code>. From here, we can start recursively jumping around directories and looking for a file named <code>flag.txt<\/code>.<\/p>\n\n\n\n<p>Most recursion requires a function that calls itself, so let&#8217;s start with that.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><code class=\"scrollbarGhostHairline-2LpzZ9 scrollbar-3vVt8d hljs\">function find {\n    find;\n}<\/code><\/code><\/pre>\n\n\n\n<p>\ud83d\udc4d<\/p>\n\n\n\n<p>Now simply write the necessary functionality!<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>function find {\n    for f in *;\n    do if &#091;&#091; -d $f &amp;&amp; ! -L $f ]];\n    then\n        cd \"$f\";\n        find;\n        cd ..;\n    elif &#091; $f == 'flag.txt' ] \n    then \n        echo `pwd`\/$f;\n    fi;\ndone<\/code><\/pre>\n\n\n\n<p>Line by line:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>function find {\n    for f in *; # Loop through all files in current directory\n    do if &#091;&#091; -d $f &amp;&amp; ! -L $f ]]; # If is a directory and not a symbolic link\n    <\/code><\/pre>\n\n\n\n<p>We don&#8217;t want to follow symbolic links, as that could lead to infinite loops, as well as breaking our depth-first search.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>elif &#091; $f == 'flag.txt' ] \nthen \n    echo `pwd`\/$f;\nfi;<\/code><\/pre>\n\n\n\n<p>Our base case! This is pretty self explanatory.<\/p>\n\n\n\n<p>So, what does this function do when run? <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>^-^ find\nbash: &#091;: too many arguments\n\/usr\/lib\/share\/misc\/flag.txt<\/code><\/pre>\n\n\n\n<p>Nice! Let&#8217;s print it out by reading the contents and &#8220;executing&#8221; them.  <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$(&lt;\/usr\/lib\/share\/misc\/flag.txt)\nbash: osu{b4$h_i5_p1en7y}: command not found<\/code><\/pre>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Our first misc challenge! This one felt reminiscent of overthewire&#8217;s Bandit series, which are a good introduction to the command line. So, we&#8217;ve got nothing to work with besides bash builtins. This is gonna be hard! We unfortunately can&#8217;t mount the filesystem remotely, as the machine we ssh to isn&#8217;t the machine that the challenge &hellip; <a href=\"https:\/\/blogs.oregonstate.edu\/paul\/2022\/12\/06\/writeup-no_util\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Writeup: no_util<\/span><\/a><\/p>\n","protected":false},"author":11809,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-138","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/posts\/138","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/users\/11809"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/comments?post=138"}],"version-history":[{"count":1,"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/posts\/138\/revisions"}],"predecessor-version":[{"id":139,"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/posts\/138\/revisions\/139"}],"wp:attachment":[{"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/media?parent=138"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/categories?post=138"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/tags?post=138"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}