“Knock knock knocking on shuttles door” (Challenge Writeup)— Hacky Holidays Space Race 2021 CTF.

5 min readJul 27, 2021

We chose these challenges for the writeup, which from our point of view were novel and ingenious, A fairly complete challenge that encompasses several techniques for its solution (Web, Networking and Privilege Escalation) called “Knock knock knocking on shuttles door”

Some Background….

What was Hacky Holidays?

Hacky Holidays was an online CTF game where the players could test and improve their skills with all sorts of challenges (technical puzzles) related to cybersecurity and emerging technologies. Proudly featured on Deloitte’s excellent Hackazon platform. More Info about the event is here.

Knock knock knocking on shuttles door.

Points: 200, Difficulty: Medium

Challenge Information

— This challenge used hackazon platform backend systems that had to be started before solving could begin.
— A VPN connection was necessary to access this challenge
— This challenge had three flags to get.
— This challenge had a file for download (ChallengeWordlist.txt)

Flag # 1 Let me in

We found a web server at 10.6.0.2… you may need the wordlist attached to this challenge.
which doors should I knock? Note: enter them comma (,) separated in the orded you found them example ctf{num1,num2,num3,num4}

Information Gathering

— Nmap
We begin our reconnaissance by running a Nmap scan, checking default scripts, and testing for vulnerabilities.

From the above output, we can see that only port 80 (HTTP) was open, so we decided to find out more about this service by running some web content enumeration tools, and take advantage of the list of words they gave us. (ChallengeWordlist.txt)

— Dirb
DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary-based attack against a web server and analyzing the response.

Dirb shows us a finding, http://10.6.0.2/WhoIsThere/
we point our browser to that address and we get the following…

we click on that link and we get….

From the description of flag # 1, we have that the format of the flag is
ctf {num1, num2, num3, num4}
So we already got flag # 1

ctf {1337,68,61,78}

Flag # 2 Do you have remote access yet?

Gain remote access to the system using that open door

Gain Access

At this point, we have several clues that will help us to gain access to the system. The description of Flag # 1 and the hidden file in the web directory, indicates that it uses the port-knocking method and the numbers found in the file are the activation sequence, therefore we proceed as follows:

After executing the knock, we do another port scan and we get this:

Now we know that port 2021 is open. We establish a connection with this port using Netcat and gain access as spaceotter user and get the second flag.

ctf{we_have_lift_off}

Flag # 3 We need full control

Can you gain further control?

Privilege Escalation

Before starting with the privilege escalation we need to have full control of the TTY, for that, we follow the steps described here

We start by listing the system users, for that, we check the /etc/passwd file

The description of flag # 3 tells us “gain further control”, and we have the user “control”. From what we deduce that it is a lateral movement what we must do, for that, we proceed with different techniques of obtaining information that goes from executing sudo -l, looking for SUID programs, reviewing the cron jobs among others.

The review of the cron jobs was successful and we found that there is a particular job (/etc/cron.d/cronJob) that executes a script (/opt/safetyCheck.sh) that has read, write, and execute permissions (777) for all users of the system.

The technique used in the attack is known as “Cron script overwriting” as described in detail here.

We wait a few minutes and that’s it.

The file /tmp/rootbash is created, now we just execute it and we are “control” user and get the flag number 3!!

ctf{sudoToTheMoon}

I really enjoyed this challenge because for its solution it is necessary to use different techniques that are used by RedTeam around the world. It is also necessary to study and put into practice the steps (Gathering Information, Obtaining Access, and Escalation of Privileges) that are used in Pentests in almost all cases.