Elfen Ring - Prison Escape Walkthrough

Prison Escape

Challenge Difficulty 3/5

Clone a code repository. Get hints for this challenge from Bow Ninecandle in the Elfen Ring.

After completing the Clone with a difference challenge, Getting back on the boat and progressing further through the game, we meet Tinsel Upatree with a terminal named “Prison Escape”, once we click on the terminal we are presented with the following screen that details the challenge and Based on the question, we need to find a hex string that contains the flag that needs to be submitted



Seems like we need to find a way to privilege escalate or escape from the limited sandbox to be able to complete the challenge. given we can get linpeas transferred to this system, we will have to manually perform initial enumeration.

Based on the above screenshot, Seems like some sort of docker container and now ill have to narrow down the enumeration to docker container escape

Using the following docker container escape reference cheatsheet, while attempting enumeration we find that we can execute command as “sudo” user, and we identify that disk “/dev/vda” based on our “fdisk” command not being mounted.

Lets attempt to mount by using the following commands

Now based on the hints provided BowNinecandle, there is some sort of hex string that appears in the host file “/home/jailer/.ssh/jail.key.priv”. let throw that in the path of the newly mounted directory and see if that’s they hex string that needs to be provided to solve the challenge.



Full Command sets

>> sudo mkdir /mnt/tmpstore

>> sudo mount /dev/vda /mnt/tmpstore

>> cat /mnt/tmpstore/home/jailer/.ssh/jail.key.priv


Comments

Popular posts from this blog

SANS Kringlecon 2022 Introduction

Sans Kringlecon 2022 - Christmas CTF Finale

Web Ring - Boria PCAP Mining Walkthrough