# Red Team Activity 4

\- 381 Points / 109 Solves

## Background

Q4: Which binary (full path to binary) was _**modified**_ by redteam to
_**later**_ escalate privileges?

Note: Flag format is `RS{MD5sum(<answer string>)}`

![](https://raw.githubusercontent.com/siunam321/CTF-Writeups/main/RITSEC-
CTF-2023/images/Pasted%20image%2020230401181729.png)

## Find the flag

**In this challenge, we can download a file:**  
```shell  
┌[siunam♥earth]-(~/ctf/RITSEC-CTF-2023/Forensics/Red-Team-
Activity-4)-[2023.04.01|18:17:58(HKT)]  
└> file auth.log  
auth.log: ASCII text, with very long lines (1096)  
```

As you can see, it's the `auth.log`, which is a Linux log file that stores
**system authorization information, including user logins and authentication
machinsm that were used.**

Since the challenge's question is asking for privilege escalation, we can try
to find common privilege escalation techniques, like SUID binary, sudo
permission, writeable `/etc/passwd` and more.

**After some searching, I found this:**  
```shell  
┌[siunam♥earth]-(~/ctf/RITSEC-CTF-2023/Forensics/Red-Team-
Activity-4)-[2023.04.01|18:20:13(HKT)]  
└> grep 'chmod' auth.log  
[...]  
Mar 25 21:15:32 ctf-1 snoopy[15105]: [login:ubuntu ssh:((undefined)) sid:14897
tty:/dev/pts/3 (0/root) uid:root(0)/root(0) cwd:/root]: chmod u+s
/usr/bin/find  
[...]  
```

In here, ***the `/usr/bin/find` has added the SUID sticky bit***, and user can
execute the binary as the owner. In this case, it's root.

**MD5 hash the answer:**  
```shell  
┌[siunam♥earth]-(~/ctf/RITSEC-CTF-2023/Forensics/Red-Team-
Activity-4)-[2023.04.01|18:20:29(HKT)]  
└> echo -n '/usr/bin/find' | md5sum  
7fd5884f493f4aaf96abee286ee04120 -  
```

\- **Flag: `RS{7fd5884f493f4aaf96abee286ee04120}`**

Original writeup (https://siunam321.github.io/ctf/RITSEC-
CTF-2023/Forensics/Red-Team-Activity-1-4/#red-team-activity-4).