HeroCTF v3 — System Write-up : PrivesCorp #4: Go Deep

PrivesCorp #4: Go Deep

The layoff list was leaked… The reponsible hr was let go, but before that, he barricaded very important information on his account. If you could get to it, there would probably be a promotion in sight. Your credentials on PrivesCorp’s network -> bob:password123
ssh bob@chall0.heroctf.fr -p 5004 # password : password123
ssh bob@chall0.heroctf.fr -p 5004 please # password : password123
That’s better, but what’s the magik word ?
Traceback (most recent call last):
File “/home/bob/shell.py”, line 32, in <module>
if(ssh_arg[3]+ssh_arg[4]+ssh_arg[5] != chr(97)+chr(109)+chr(101) or re.match(re.compile(“^[^A-RT-Za-z0–9]e[s].$”), ssh_arg[0]+ssh_arg[1]+ssh_arg[2]+ssh_arg[3]) == None):
IndexError: string index out of range
ssh bob@chall0.heroctf.fr -p 5004 Sesame # password : password123
Hmmm I should have bariccaded myself better then that… Now that you are here, you can’t get out, so it doesn’t matter ;). I made sure the document is well hidden./===================\
|| Welcome to jail ||
|| | | | |H| | | | ||
bob@godeep >
> didirr()
— -> dir()
[‘TO_KEEP’, ‘_86924’, ‘__annotations__’, ‘__builtins__’, ‘__cached__’, ‘__doc__’, ‘__file__’, ‘__loader__’, ‘__name__’, ‘__package__’, ‘__spec__’, ‘argv’, ‘clear_vars’, ‘cmd’, ‘flag’, ‘forbidden’, ‘re’, ‘res’, ‘ssh_arg’, ‘vars’]
— -> TO_KEEP
{‘__name__’: ‘__main__’,
‘ssh_arg’: ‘Sesame’, ‘forbidden’: [‘TO_KEEP’, ‘dir’, ‘flag’, ‘_86924’, ‘secret/879.txt’], ‘TO_KEEP’: {}, ‘flag’: ‘fake{NOP_LOL}’, ‘clear_vars’: <function clear_vars at 0x7f76e9e21040>}
flaflagg = _869_8692424 # ou flaflagg = "secret/secret/879.txt879.txt"
---> flag=_86924
<built-in function open>
---> flag("secret/879.txt").read()



French CTF team

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store