A Thousand Ways to Skin the Sokar Cat

Happy Birthday Vulnhub!

As promised at our birthday party last week, we’d like to announce the release of our first competition in 2015…. Sokar!

Rasta Mouse (the person to thank and/or blame regarding Kvasir) didn’t bake us a birthday cake, but instead cooked up a brand new virtual machine for you to attack and have some fun.

He is no stranger to breaking boot2root machines. He has now crafted Sokar, using a few ideas that he had not previously seen in his travels of vulnerable virtual machines.

Okay Vulnhub and Rasta Mouse, challenge accepted. Let the games begin!


Sokar, the god of death on many worlds and one of the most powerful of the Goa’uld. Normally I would run like hell if I was introduced to ‘The God of Death’, but considering we are celebrating a special birthday, I will be a little brave.

Together with my team of binaries and other assorted tools, we shall defeat Sokar and destroy all who come in our way! netdiscover… where does this most powerful one reside?

Nmap, are there any holes in Sokar’s armour?

Interesting. It looks as though Sokar is using a Goa’uld Personal Defence Shield. The defence of these shields is proportional to the probe requests we are blasting towards it. Nmap, we need a slower weapon. Fire only the first 1000 ports!

Success! The crack in the armour. iceweasel, set target course for port 591… let’s take a closer look.


Looks like some form of combined output from netstat and iostat. The stats are updating regularly so we know there must be a minion script in control. Let’s take a look at the source.

As expected. Sokar has deployed a cgi script to monitor the system stats. Before we look at this further, let’s make sure Sokar is not hiding anything else from us. Wfuzz, we need you to bruteforce this system. Engage immediately!

This system seems to be very weak and does not respond well to our bruteforce attempts. It may be dated or unstable. Let’s shock the system with our CVE-2014-6271 weapon and see if we can expose a weakness. Curl, engage Sokar!

Kaboom!!!! The molten core of Ne’tu is exposed and we can see Bynarr and his first prime Apophis reside in this place of fire and torment!


We must be hesitant. Before we get any closer, we should survey the landscape. Curl, check for any SUID binaries in our immediate vicinity:

No immediate concerns at this stage. Curl, give me the contents of the cgi-script.

Good. The script calls for the contents of the /tmp/stats file and outputs the information. Curl, tell me if there are any world-writeable options we should consider.


Bynarr! Before we get to Sokar we must get past or destroy Bynarr. Thanks to Sokar gauging out one of Bynarr’s eyes, we should be able to get by unnoticed. Curl, get us past Bynarr’s gaze and show us what he is hiding at home.

Great work curl! Let me know what is in /tmp/stats.

We are getting closer to our target. Onwards curl! Let’s take a look at his mail; perhaps Jolinar of Malkshur has left him a smutty love note?

While there was no Tok’ra soft porn for us indulge in, we have possibly found a way we can get closer to Sokar, by becoming “Bynarr the Fruity”!

Curl, give me Bynarr’s profile stat!

The pieces are all starting to fall together! Our battle plan to fool Sokar into believing we are Bynarr is as follows: We will leverage the availability of a path attack, replacing Bynarr’s iostat with our own malicious binary. This binary will open gate 51242, allowing us to directly embed ourselves on Ne’tu. Today my friends, we shall not be defeated!

Curl, create a placeholder for our malicious binary and tell netcat I want to see her immediately!

Netcat, prepare gate 51242 for immediate deployment!

Curl, inject the malicious code and activate the portal.

Netcat, prepare for the gateway to open!

We stand upon Ne’tu and can feel the probing gaze of Bynarr. Time is not our friend and Sokar must be destroyed before gate 51242 closes behind us and we are banished to this hellish moon. We need to get to Apophis and try to build some trust in order to get to Sokar, his sworn enemy.

What a desolate place. We head north, and while there seems to be no coconuts present, we are greeted by a single lime. Cat, take a closer look.

This lime seems to be owned by root, however ls assures us we have the permissions to use it. We have no time to waste, let’s examine it further.

We are denied. This does not make sense; Bynarr holds great power in this land. Sudo, examine our surrounds and tell me what we can and cannot do. We must get to Apophis!

Good work sudo! We do have the power to use this lime. As the heat on this satanic moon starts to take it’s toll, I find myself in urgent need of refreshment. I search through my backpack, and the gods reward me accordingly. Sudo! I have a Corona, but it’s getting warm and close to undrinkable! Quickly, use your strength and get me that lime!

Let’s move team! We need to get to /tmp and examine the contents of ram! cd! Levitate us towards /tmp quickly!

Strings and grep, get over here! Strings.. I want you to use your unmatched might and open the ram. Grep, reach into the ram and pull out anything you can which could help us find apophis. Don’t delay!

Perfect team work! Cat! Get apophis’ details from the /etc/passwd journal and put it in the shadows over there. Next, get the /etc/shadow line from strings and place it into the shadows over there. unshadow, it’s time for you to shine and shed some light on the path we need to take.

john! john! Where the f@ck is john when he’s not in the gym getting ripped?!

There you are! john, take this unshadow journal and rip out Apophis’ secret.

We have done it. With unparralled teamwork we have exposed the path to Apophis. su, you know what to do! Get us to Apophis!

It’s hard to get good help sometimes. python, show us some love and spawn a sexy tty would you. (I knew I should have listened to Spock and joined his team. If only I learnt how to do that two finger sign.)

su, pick yourself up off of the molten rock and try again please.


We are greeted by Apophis, who is only too eager for us to destroy Sokar, however is driven by greed and distrust. After much discussion, he agrees to give us access to the build gate if we leave su and sudo behind for his pleasure until we open the gate. I agree to his terms, somewhat reluctantly.

gdb. You need to listen to my instructions and start to break into this build gate. These are the steps I want you to follow:

  1. Find your way to main (), and take a break
  2. Continue for a short while and disassemble what you can in main()
  3. You will find an encryptDecrypt function. Take a break at this function
  4. Look for the next instruction which has been left at this spot, and take a further break
  5. Only take a single step at this stage. You will see a register called $rbx. Contact me and tell me the contents of the register.

Now go gdb, and watch out for any bugs.

Great work gdb! It looks like we are going to need to manipulate root’s build gate to do some work for us. I know just the person that can help us out; the silly git.

cat, create me a SUID C Wrapper. We’re going to use this to get to root.

echo! Stop dreaming of the beach and create me an ssh binary which will chown and chmod our wrapper.

Ok… it’s time to manipulate the silly git and have him use the ssh binary in our path. git! open the build gate using our improved ssh binary!

Thank you, you silly git. ls, please tell me we have a binary owned by root with the sticky-bit set?

Stand back team! We have travelled a great distance and safely come this far. Sokar! It is time for you to meet your match!

cat, you have been loyal and served us very well on this mission. The honour is all yours, raise that flag!

Like Wallaby Bob’s brother, Sokar is roo-ted! Thank you so much Rasta Mouse for a very testing and enjoyable CTF challenge. I learnt a lot from the VM and owe you a piece of cheese sometime.

Vulnhub, HAPPY BIRTHDAY!!!! Thank you for continuing to provide such a great resource for us offsec folk. May there be many more birthdays to come.


One Comment

  1. OJ wrote:

    Nicely done. This write-up is definitely my favourite of the ones that I’ve read. I love the style.