# 20 - blukat ## The Challenge Sometimes, pwnable is strange... hint: if this challenge is hard, you are a skilled player. ssh -p2222 (pw: guest) ## The Solution This challenge is about paying attention and questioning reality itself. At first glance everything is as usual: ![](https://3609409146-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MFKoejdbAjmSQIWMVBk%2F-MIsQGdAcbNR61lUSal2%2F-MItRWD05Bhfh-5JJOAw%2Fimage.png?alt=media\&token=4614afd0-417e-4dd8-ba7e-ee25703ae9e1) Only members of `blukat_pwn` can access the password which we need to get the flag. As we started analyzing the challenge we had some opportunities to figure out something was wrong. For example: * How did we just copy the password file to my local machine? * Why `fgets` stores in memory *"cat: password: Permission denied"* ? Take a close look at blukat's group permissions: ![](https://3609409146-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MFKoejdbAjmSQIWMVBk%2F-MIsQGdAcbNR61lUSal2%2F-MItQPZGDArtgh0-7K2o%2Fimage.png?alt=media\&token=f185dfcf-95e4-4cd9-bdab-28fccfd977cb) We are part of the `blukat_pwn` group, and that permission denied string is the password! ![](https://3609409146-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MFKoejdbAjmSQIWMVBk%2F-MIsQGdAcbNR61lUSal2%2F-MItUvCJl52iTnbMTPU7%2Fimage.png?alt=media\&token=7e898633-7942-4b47-be9a-0fb06b3422c7) Use this to grab the flag and get this over with. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://nickbhe.gitbook.io/shikata-ga-nai/pwnable.kr/20-blukat.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.