Waldo -

Target Enumeration:

OS: Linux


User: 32768bcd7513275e085fd4e7b63e9d24

Root: 8fb67c84418be6e45fbd348fd4584f6c

Ports / Services / Software Versions Running

22/tcp open ssh

80/tcp open http

8888/tcp filtered sun-answerbook

Vulnerability Exploited:

LFI to read nobody users ssh key

Privilege Escalation:

Root capabilities on /usr/bin/tac to read the root flag.

Exploiting the host:


Looking at the webapp its a list reader/writer

Capturing the requests in burp allows dir listing for the root folder, you cant read files outside of this dir.

There is a file read so check the sourcecode

Start reading the sourcecode of the webapp

Can read and write to files

List all the files and copy output to a text file for review

Reviewing the code made lfi a little harder than normal

Eventually we found a payload that worked.

Now considering the ports we had open we would probably need to find some ssh keys of some sort.

Searching around we found a key for the user nobody.

The file is all messed up so copy to a text file and remove all instances of \n and replace with a new line:

And also delete all instances of \ through the file

Once Cleaned you will have the following file:

Chmod 600 the file and login as the user nobody to get the user.txt flag.

After enumerating the system it appears we are in a restricted docker container so try and use the previous key to login to the actual host with ssh

Another restricted shell, using the following command we can see a few things we can use

Rnano may allow us to create files

Bypass by issuing “bash --noprofile”


We have none of the correct paths with noprofile so execute the following

For privesc you need to understand capabilities



Run the following command to find all capabilities

getcap -r / > capabilities.txt

Then read the file

Tac will allow us to get the root flag

You can also read the root’s ssh key

Reverse the ssh key with sed

The key will not allow you to login to the root account so for now we will try and crack the root account with unshadow shadow password > keys

There is not much point as the following is set in sshd_config

Last updated