boot2root, hacking, OSCP, web application security

OSCP Series: Kioptrix Level 1

Another day, another challenge.

I am studying for the OSCP exam. I read the following boot-to-root is a good VM to root in preparation for the exam.

Anyway without further ado…

Note: I set Kioptrix and Kali to both Bridged, so both VMs are on the same network. Please make sure to do this or the walkthrough will not work.

Booting the Kioptrix machine we see the following…


Hmm… so we need to acquire root of this machine. And we’re presented with a login prompt.

Going to our Kali machine, we first need to find open the terminal and find the IP address of the Kioptrix machine.

To do this, type netdiscover followed by Enter.

For me, the IP address is, this will be different for you.

Now, let’s see which services are running on the Kioptrix VM.

Type nmap -sV (TCP scan) <IP_ADDRESS> in my case my IP address is

Below is a screenshot:


We have the following services open – ssh, http, rpcbind, netbios-ssn, ssl/http, status

Let’s look at the http page and see if we can find something useful


Nothing useful was listed here. Let’s go back to the services above and see if we can use another vector to find gems in the VM.

We see there’s a Samba server running on 139.

Maybe we can enumerate this server and get more information.

What can we use to enumerate?

There’s a useful tool called enum4linux which enumerate SMB servers for goodies.

Running the command enum4linux -a <IP_ADDRESS> we get:


As you can see the tool returns a lot of data. The important pieces are:

  1. The server version of Samba server
  2. The different groups and users for the server

Looking at the output we see the Samba server is 2.2.1a

Let’s see if we can find an exploit for this server version.

Using searchsploit we have the following:


OK, this looks promising.

Let’s try the first exploit. We need to copy the exploit to our current directory.


This is a perl program, so let’s see what we need to supply to get the exploit working:kioptrix_first_exploit2

We need to supply a target type, our ip, and a target ip. After supplying the correct information we have the following:


The exploit didn’t work. Let’s try another.

Going back to the searchsploit results, the second exploit – Samba 2.2.8 – Remote Root Exploit, we see that it’s a c program.

First, let’s copy this file to our current location.


Now we need to compile this file.

Using the gcc compiler, we can have a working exploit.


Let’s see what options we can use for this exploit…


OK. We need to specify the platform (-b), it’s good to have the verbose (-v), and specify the host. Let’s see a screenshot of this.


Score! We were able to gain a shell!!

OK, let’s see if we can find some goodies…


Looking at the bash history we see mail has been accessed.  Let’s try accessing the mail.kioptrix_remote4

Going to the inbox and reading the first message, we see the above message.

Score! We have successfully completed this boot to root!!

capture the flag, hacking

PicoCTF 2017 – Yarn #appsec #infosec #ctf

Another day, another challenge…

Today’s blog post we will solve the, “Yarn” challenge from PicoCTF.

Let’s get started.

Clicking on the challenge we see:


OK, we need to find a flag inside of a file, but we do not know what the file is.

Let’s look at the hints and see if that provides any clues.


Looking at the hints we’re provided with two questions. Possibly answering these questions will leads us to the flag.

Answer question #1 – “what does the string command use to determine if something is a string?” We decide to do a Google search to answer just that.

Doing this Google search we’re provided with the following link.

Reading the article we determine that the strings command prints the printable characters from a file.

Doing that we’re provided with the following screenshot:


We’ve answered question #1. Let’s answer question #2.

Question #2 – is there a way to change the length that the strings command look for?

Going back to the link we see that there is a way we can specify that there is a way to determine the length of strings we want to print.

How do we use this?

By adding the “-n <length you want to use>”

Doing this we get the following:


Scrolling down we see:


Hmm… I think we found the flag! “Submit_me_for_I_am_the_flag”

Putting this string as the flag we have acquired 55 points!

capture the flag, hacking

PicoCTF 2017 – Just No

Another day, another challenge…

Today’s blog post we’re going to solve the “Just No” challenge in the PicoCTF challenge.

Let’s start.


OK… we have a program that has access to the flag, but refuse to give it to us.

Let’s look at the hints and see what we can do.


OK.. we need to look at the absolute and relative paths, and spoof the file that the program is looking for.

Let’s go to the program.

After clicking logging into the command line and navigating to the folder we see the following:


Opening the auth file with the cat command we see:


OK. The file only as no. Let’s see how this is being used.

Opening the justno.c file with the cat command we see:


Reading the file we see we’re opening the auth file and determining if the the auth file does not have the word “no”. If that’s true then we’re presented with the flag. If the auth file does contain the word “no” then we go inside the else block which print, “auth file says no. So no. Just… no.”

As we can see when we opened the auth file it currently has the word “no”. Which means if we executed the justno program right now we would go to the else block, and receive the no message.

Now is the time to utilize the hints. We need to spoof the auth file to be ANY word except for no. How are we going to do this?

Well the challenge told us to read the difference between absolute and relative paths. Once we figured that out, then we can create a new auth file and point it to the new location.

Let’s give it a shot.

Going back to the justno.c we see that the file open is using relative paths.

We can spoof the location by creating the file structure and then calling the justno.c program and printing the flag.

Let’s do it.


Looking at the screenshot you can see we created the same directory structure and created a new auth file that was listed in the justno.c program. Once we did that and called the justno program again we were able to get the flag and acquired 40 points!

capture the flag, hacking

PicoCTF 2017 – Bash Loop

Another day, another challenge…

Today’s blog post we will solve the “Bash Loop” challenge in the PicoCTF challenge.

Let’s start!

Clicking on the challenge we see:


OK… There’s a program we need to execute to find the hidden number. Let’s look at the hints to see what they give us.


OK… the hint tells us that we need to use Google to search for “bash loops”.

First let’s navigate to the folder of the program

Copying the location of the program, right clicking on the command line, selecting paste from browser, and pressing enter we have the following:



We see the bashloop program and the flag.

Executing the bashloop program we see the following:


Let’s do a quick Google search and look for bash loops

Going to the following link, and scrolling down to the for loop we see the following:


Let’s use this for our challenge.

Going back to the command line we enter the following:


Let’s break down the loop…

In the first line we are using a for loop and we’re looping over the range from 0 to 4096 as that is the range of numbers we need to guess over.

The next line we are invoking (calling) the program with the current number in the range (between 0 to 4096). From that we’re grepping (finding) the keyword of flag. The reason we’re doing that is to find the flag. Next line is specifying that we’re ending the loop.

Pressing enter we see that the flag is displayed to us.

Entering this into the input box we acquired 40 points!

capture the flag, hacking, web application security

PicoCTF 2017 – WorldChat

Another day, another challenge…

In today’s blog post we will be solving the “WorldChat” challenge from the PicoCTF.

Let’s get started!

Going to the challenge we see:

OK so we need to find the flag inside of the WorldChat app. According to the description when connecting to this app there will be many people on the app besides us.

Let’s look at the hints to see if it will help us.


We need to us the nc command (we’ve used this in another challenge) and use the grep command to filter output.

Let’s try it.


Connecting to the server we see a bunch of chats from different people. I pressed Ctrl + C to stop it.

Let’s use the hints and use the grep command with the “|” (pipe) command.








Press Ctrl + C to end the chat.

I have only captured screenshots of output that has the flag. Entering the flag into the input box we acquired 30 points.

capture the flag, hacking

PicoCTF 2017 – Leaf of the Tree

Another day, another challenge…

Today’s topic will show how to solve the Leaf of the Tree challenge from the PicoCTF.

Clicking on the challenge we see the following:


We need to find the flag, but it’s located in an annoying named directory. The challenge tells us that we should use the cat and ls commands.

Clicking the hints we see the following:


Nothing much here except that tab completion is our friend.

Going to the command line and navigating to the folder in the challenge we see:


Hmm… a trunk directory, let’s change our current directory (cd) to the trunk directory and list the contents.

Doing that we get:


Two more folders… let’s go to the trunkef96 directory and see what’s in that directory.


Another folder… trunk99e1, let’s see what’s in that directory.


Three more folders. Let’s look what’s inside of the trunk54f4 directory.


Going to trunk61be and looking at the contents in that folder we see:


Going to the trunk61be and looking at the contents in that folder we see:


Going to the trunk61be and looking at the contents in that folder we see:

Going to the trunk89be and looking at the contents in that folder we see:


Going to the trunk87bf and looking at the contents in that folder we see:


Going to the trunkb252 and looking at the contents in that folder we see:


OK – there’s the flag. Let’s use the cat command to open the file and see if the flag is there.


We found the flag, and acquired 30 points in the process!

capture the flag, hacking, web application security

InfoSec Institute CTF Challenge #8

Another day, another challenge…

Today’s challenge will be on CTF Challenge #8 from InfoSec Institute.

Going to the following link

We see the following page.


We’re introduced with the downloading a file.

Doing our trick of right click, view page source we see the following:


We see the file that we need to download called “app.exe”

Downloading and opening the file we noticed that the application is the netstat command listing our network information.

Since our tricks does not work, we need to find a way to view the source of the application.

One option is to use the linux strings command.

The strings command allows you to find English words in file.

If you are working on a Windows machine (like I am) you can download the cygwin emulator which allows you to do simple Linux commands on a Windows machine.

To download cygwin go here.

Note: Make sure when downloading that you add the binutils package to import the strings command.

Copy the app.exe file into the cygwin directory (that you specified in your installation) so you navigate to that file.

After downloading cygwin, and using the strings command we see the following:


We found the flag – infosec_flagis_0x1a!

Lessons learned:

Again, our normal tricks of viewing the page source did not work. We noticed that when we executed the program that it was the netstat command getting information on our network. From there we decided that we would need to see the source of the application to see if the flag was hidden in there. Turns out it was. Overall lesson, be flexible with your tool belt and think outside of the box!