Elfen Ring - Prison Escape Walkthrough
Prison Escape
Challenge Difficulty 3/5
Clone a code repository. Get hints for this challenge from Bow Ninecandle in the Elfen Ring.
After completing the Clone with a difference challenge, Getting back on the boat and progressing further through the game, we meet Tinsel Upatree with a terminal named “Prison Escape”, once we click on the terminal we are presented with the following screen that details the challenge and Based on the question, we need to find a hex string that contains the flag that needs to be submitted
Seems like we need to find a way to privilege escalate or escape from the limited sandbox to be able to complete the challenge. given we can get linpeas transferred to this system, we will have to manually perform initial enumeration.
Based on the above screenshot, Seems like some sort of docker container and now ill have to narrow down the enumeration to docker container escape.
Using the following docker container escape reference cheatsheet, while attempting enumeration we find that we can execute command as “sudo” user, and we identify that disk “/dev/vda” based on our “fdisk” command not being mounted.
Lets attempt to mount by using the following commands
Now based on the hints provided BowNinecandle, there is some sort of hex string that appears in the host file “/home/jailer/.ssh/jail.key.priv”. let throw that in the path of the newly mounted directory and see if that’s they hex string that needs to be provided to solve the challenge.Full Command sets
>> sudo mkdir /mnt/tmpstore
>> sudo mount /dev/vda /mnt/tmpstore
>> cat /mnt/tmpstore/home/jailer/.ssh/jail.key.priv
Comments
Post a Comment