Get the flag by authenticating via SSH to [email protected] -p4556, using the password "d4rk_kn1ght".
Flag format: UNR{}
UNR{master_of_brute}
This is a privilege escalation based attack. To read the 'flag' file you need root permissions, so I searched for binaries that had the SUID set, found 'power', reversed engineered it to find out how it can read from a file, then used it to extract the flag.
Because we need to "rise"(escalate), the usual way is to use the special / SUID binaries. To see them I used:
find / -perm -4000 2> /dev/null
Found (in /usr/bin):
-rwsr-xr-x 1 root root 6120 Dec 10 07:47 power
-rwsr-xr-x 1 root root 39912 May 17 2017 newgrp
-rwsr-xr-x 1 root root 75376 May 17 2017 gpasswd
...
“power” is a peculiar name for a binary, so I just grabbed it locally with MobaXTerm.
Then I opened it in Ghidra to find out that: