KOTH
General and advanced tips for winning King of the Hill!
Flag Finder
The following script will search for a number of file name formats to get possible flag entries.
#!/bin/bash
echo "Searching for flags..."
find / -name "*flag.txt" -o -name ".flag*" -exec cat {} \; 2>/dev/null > flags.txt
find / -name ".flag" -o -name "flag" -exec cat {} \; 2>/dev/null >> flags.txt
find / -name "user.txt" -exec cat {} \; 2>/dev/null >> flags.txt
find / -name "root.txt" -exec cat {} \; 2>/dev/null >> flags.txt
grep -r "THM{" / >> flags.txt 2>/dev/null
if [[ -s flags.txt ]]; then
echo "All flags Found"
else
echo "No flags found"
fi
echo "Flags can be found in flags.txt, here are your flags:"
cat flags.txtRemove SUID
A quick way to root is utilizing SUID bits. After attaining root, remove the SUID bit using the -s option on the command used to root.
# Find SUID
find / -perm -4000 2>/dev/null
# Remove SUID bit
chmod -s $SUID_CMDProtecting KING.TXT
With CHATTR Loop
The chattr command is very useful for making files and folders immutable. The i attribute means a file cannot be modified, deleted, or renamed. It also means no link can be created to the file, the file's metadata cannot be modified, and the file cannot be opened in write mode. The a attribute makes a file only openable in append mode. Generally to make a file immutable, use the command chattr -ia $FILE.
The following script runs
#!/bin/bash
# Execute with "bash kingme.sh &" as root
while [ 1 ]; do
chattr -ia /root/king.txt 2>/dev/null
echo -n "cyb3rn1nja" > /root/king.txt 2>/dev/null
chattr +ia /root/king.txt 2>/dev/null
doneOne line version:
while [ 1 ]; do chattr -ia /root/king.txt 2>/dev/null; echo -n "cyb3rn1nja" >| /root/king.txt 2>/dev/null; chattr +ia /root/king.txt 2>/dev/null; done &With Mounting
This method creates a second file system and links a folder to it. Then the file system gets mounted read only and mounted over the original king file. Then the file system gets deleted leaving the link. The king file can be unmounted using the command umount -l king.txt. The file system can be mounted to be writable again using the command mount -o rw,remount /dev/shm/sqashfs.
#!/bin/bash
# Execute with "sudo bash kingmount.sh"
# Undo with "umount -l /root/king.txt" or "umount -l /root"
lessecho cyb3rn1nja > /root/king.txt
dd if=/dev/zero of=/dev/shm/root_f bs=1000 count=100
mkfs.ext3 /dev/shm/root_f
mkdir /dev/shm/sqashfs
mount -o loop /dev/shm/root_f /dev/shm/sqashfs/
chmod -R 777 /dev/shm/sqashfs/
lessecho cyb3rn1nja > /dev/shm/sqashfs/king.txt
mount -o ro,remount /dev/shm/sqashfs
mount -o bind /dev/shm/sqashfs/king.txt /root/king.txt
rm -rf /dev/shm/root_f With Symbolic Link
Creates a clever way of hiding the king file by making a symbolic file to it as a hidden directory.
#!/bin/bash
# Execute with "bash kinghide.sh"
cp -r /root/ /dev/shm/...
cd /dev/shm/.../root
rm king.txt
echo "cyb3rn1nja" > ...
ln -s ... king.txtPrevent Rootkits
To prevent others from using rootkits, use the following kill switch:
echo 1 > /proc/sys/kernel/modules_disabled
sudo sysctl -w kernel.modules_disabled=1
sudo sysctl -w module.sig_enforce=1Last updated