KOTH

General and advanced tips for winning King of the Hill!

Flag Finder

The following script will search for a number of file name formats to get possible flag entries.

flagfinder.sh

#!/bin/bash

echo "Searching for flags..."

find / -name "*flag.txt" -o -name ".flag*" -exec cat {} \; 2>/dev/null > flags.txt
find / -name ".flag" -o -name "flag" -exec cat {} \; 2>/dev/null >> flags.txt
find / -name "user.txt" -exec cat {} \; 2>/dev/null >> flags.txt
find / -name "root.txt" -exec cat {} \; 2>/dev/null >> flags.txt
grep -r "THM{" / >> flags.txt 2>/dev/null

if [[ -s flags.txt ]]; then
    echo "All flags Found"
else
    echo "No flags found"
fi

echo "Flags can be found in flags.txt, here are your flags:"
cat flags.txt

Remove SUID

A quick way to root is utilizing SUID bits. After attaining root, remove the SUID bit using the -s option on the command used to root.

# Find SUID
find / -perm -4000 2>/dev/null
# Remove SUID bit
chmod -s $SUID_CMD

Protecting KING.TXT

With CHATTR Loop

The chattr command is very useful for making files and folders immutable. The i attribute means a file cannot be modified, deleted, or renamed. It also means no link can be created to the file, the file's metadata cannot be modified, and the file cannot be opened in write mode. The a attribute makes a file only openable in append mode. Generally to make a file immutable, use the command chattr -ia $FILE.

The following script runs

kingme.sh

#!/bin/bash
# Execute with "bash kingme.sh &" as root

while [ 1 ]; do
    chattr -ia /root/king.txt 2>/dev/null
    echo -n "cyb3rn1nja" > /root/king.txt 2>/dev/null
    chattr +ia /root/king.txt 2>/dev/null
done

One line version:

while [ 1 ]; do chattr -ia /root/king.txt 2>/dev/null; echo -n "cyb3rn1nja" >| /root/king.txt 2>/dev/null; chattr +ia /root/king.txt 2>/dev/null; done &

With Mounting

This method creates a second file system and links a folder to it. Then the file system gets mounted read only and mounted over the original king file. Then the file system gets deleted leaving the link. The king file can be unmounted using the command umount -l king.txt. The file system can be mounted to be writable again using the command mount -o rw,remount /dev/shm/sqashfs.

kingmount.sh

#!/bin/bash
# Execute with "sudo bash kingmount.sh"
# Undo with "umount -l /root/king.txt" or "umount -l /root"

lessecho cyb3rn1nja > /root/king.txt
dd if=/dev/zero of=/dev/shm/root_f bs=1000 count=100
mkfs.ext3 /dev/shm/root_f
mkdir /dev/shm/sqashfs
mount -o loop /dev/shm/root_f /dev/shm/sqashfs/
chmod -R 777 /dev/shm/sqashfs/
lessecho cyb3rn1nja > /dev/shm/sqashfs/king.txt
mount -o ro,remount /dev/shm/sqashfs
mount -o bind /dev/shm/sqashfs/king.txt /root/king.txt
rm -rf /dev/shm/root_f 

With Symbolic Link

Creates a clever way of hiding the king file by making a symbolic file to it as a hidden directory.

kinghide.sh

#!/bin/bash
# Execute with "bash kinghide.sh"

cp -r /root/ /dev/shm/...
cd /dev/shm/.../root
rm king.txt
echo "cyb3rn1nja" > ...
ln -s ... king.txt

Prevent Rootkits

To prevent others from using rootkits, use the following kill switch:

echo 1 > /proc/sys/kernel/modules_disabled
sudo sysctl -w kernel.modules_disabled=1
sudo sysctl -w module.sig_enforce=1

References:

https://github.com/MatheuZSecurity/Koth-TryHackMe-Tricks

https://github.com/Terraminator/thm-koth-tricks?tab=readme-ov-file