Post

The Shell

Posted
By Ramages 2 min read

This is a writeup of the network challenge The shell from the Security Valley CTF

Level: 1, Score: 5

Premise

There is pcapng file. Can you reveal the flag ?

Link: https://github.com/SecurityValley/PublicCTFChallenges/tree/master/network/the_shell

Challenge files:

rev_shell.pcapng

Observations

We open the file in wireshark and see a single TCP stream

Solution

When we follow the TCP stream, we can see the following content

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

whoami
aicdev
$ ls -la
total 128
drwxr-x--- 19 aicdev aicdev 4096 Okt 19 20:13 .
drwxr-xr-x 3 root root 4096 Jul 25 10:56 ..
-rw------- 1 aicdev aicdev 2065 Sep 12 15:17 .bash_history
-rw-r--r-- 1 aicdev aicdev 220 Jul 25 10:56 .bash_logout
-rw-r--r-- 1 aicdev aicdev 3771 Jul 25 10:56 .bashrc
drwx------ 14 aicdev aicdev 4096 Aug 24 15:35 .cache
drwx------ 14 aicdev aicdev 4096 Aug 24 15:38 .config
drwxr-xr-x 2 aicdev aicdev 4096 Jul 25 11:05 Desktop
drwxr-xr-x 2 aicdev aicdev 4096 Jul 25 11:05 Documents
drwxr-xr-x 3 aicdev aicdev 4096 Jul 29 08:32 Downloads
-rw-rw-r-- 1 aicdev aicdev 28 Okt 19 20:13 flag.txt
drwx------ 2 aicdev aicdev 4096 Aug 24 14:23 .gnupg
drwxrwxr-x 5 aicdev aicdev 4096 Aug 24 15:27 go
drwx------ 3 aicdev aicdev 4096 Jul 25 11:05 .local
drwxr-xr-x 2 aicdev aicdev 4096 Jul 25 11:05 Music
drwxrwxr-x 4 aicdev aicdev 4096 Aug 24 15:40 .npm
drwxr-xr-x 3 aicdev aicdev 4096 Jul 25 11:42 Pictures
-rw-r--r-- 1 aicdev aicdev 844 Jul 25 11:41 .profile
drwxr-xr-x 2 aicdev aicdev 4096 Jul 25 11:05 Public
drwx------ 3 aicdev aicdev 4096 Jul 25 11:39 snap
drwx------ 2 aicdev aicdev 4096 Jul 25 11:07 .ssh
-rw-r--r-- 1 aicdev aicdev 0 Jul 25 11:07 .sudo_as_admin_successful
drwxr-xr-x 2 aicdev aicdev 4096 Jul 25 11:05 Templates
-rw-r----- 1 aicdev aicdev 5 Okt 19 20:09 .vboxclient-clipboard.pid
-rw-r----- 1 aicdev aicdev 6 Okt 19 20:09 .vboxclient-display-svga-x11.pid
-rw-r----- 1 aicdev aicdev 5 Okt 19 20:09 .vboxclient-draganddrop.pid
-rw-r----- 1 aicdev aicdev 5 Okt 19 20:09 .vboxclient-seamless.pid
drwxr-xr-x 2 aicdev aicdev 4096 Jul 25 11:05 Videos
drwxr-xr-x 4 aicdev aicdev 4096 Aug 24 14:52 .vim
-rw------- 1 aicdev aicdev 9897 Okt 19 20:13 .viminfo
-rw-rw-r-- 1 aicdev aicdev 2724 Aug 24 15:44 .vimrc
$ cat flag.txt
SecVal{[REDACTED]}
$ exit

So we immediately have our flag.

Tools used:

  • wireshark
SecurityValley, Network
Network CTF SecurityValley
This post is licensed under CC BY 4.0 by the author.