This shall be a record of my escapades into the world of ones and zeros.


wwrdpldnadmin | 21 June, 2017 16:11


Orcus is the 3rd server in the Hackfest 2016 CTF event. Below is the description from vulnhub.

Welcome to Orcus

This is a vulnerable machine i created for the Hackfest 2016 CTF http://hackfest.ca/

Difficulty : Hard


If youre stuck enumerate more! Seriously take each service running on the system and enumerate them more!

Goals: This machine is intended to take a lot of enumeration and understanding of Linux system.

There are 4 flags on this machine 1. Get a shell 2. Get root access 3. There is a post exploitation flag on the box 4. There is something on this box that is different from the others from this series (Quaoar and Sedna) find why its different.

Feedback: This is my third vulnerable machine, please give me feedback on how to improve ! @ViperBlackSkull on Twitter simon.nolet@hotmail.com

Special Thanks to madmantm for testing this machine

SHA-256 : 79B1D93C60E664D70D8EB3C0CDF1AD98BF2B95036C84F87EEF065FA71C1AE51E


Orcus booted in VMWare and revealed the IP of

Everyone has their own process. Most start off with an nmap scan. Why should I be any different?

nmap -T4 -A -v


I like the easy button, so I first poked the Samba.

Rpcinfo -s


So there's a folder share, let's see what's there.

showmount -e


Let's mount it, shall we...

cd /tmp

mkdir nfs

mount -t nfs /tmp/nfs -o -nolock

Interesting, now that I have the targets /tmp folder mapped, I can move files back and forth. That's definitely useful. I don't see anything I can readily use in the folder. Let's move on to Dirbuster. I've had it running in the background.


Dirbuster shows ExponentCMS installed; however, visiting the index page shows the database to be offline.

Navigating to install/changes/ folder reveals the installed version is 2.3.9. I don't see any known vulnerabilities for this version on exploit-db.



Dirbuster revealed a folder called external. I dig around in it and find that adminer is installed as a DB front-end.



 I play around with a few quick user/password combos but nothing gets me in.


Dirbuster also showed a folder called "backups"

I downloaded and extract SimplePHPQuiz and browse through the files. In the includes folder I find db_conn.php. It has the default setup for the database


I go back to the adminer login and plugin this information. To my surprise it works.




Snooping around I find that this dbuser has full privileges.


 I also find a couple other databases, including zenphoto.


I've had experience with zenphoto and I know it has RFI/LFI issues so I navigate to the page I assume it is at by default, To my surprise I see that it is in mid install. It is complaining about the user/password being used so I plug in the dbuser/dbpassword credentials and complete the install using default settings.

(I forgot to get screenshot before completing install.)

I create a simple username/password for the zenphoto install and complete the setup. I log in and find that it is running version 1.4.10. A quick look on exploit-db shows me it's definitely vulnerable to LFI and most likely RFI, but before I try that, I'm pretty sure zenphoto has a plugin for file upload. I go to Plugins>uploader and check the box for elFinder.


Now go to the upload tab and you will see a tab for Files (elFinder). Yes you can upload files directly to the server. I upload my trusty php shell. (The same one I used on the previous Hackfest vms)




Then I go to and see the magic.


That was easy. Browsing around using "ls" with various numbers of "../" and I find the first flag, all without actually getting a shell.


Next I decide to upload my favorite php shell from PenTestMonkey. You can download it from http://pentestmonkey.net/tools/web-shells/php-reverse-shell

I make the necessary changes in the file and upload it the same way I uploaded the shell.php file, using the zenphoto uploader.

I open a terminal and type nc -nvlp 4444 and navigate to the page I just uploaded. Now I have a shell.


And for a proper shell,


Now for some quick system info.



At this point I tried several privilege escalations but nothing worked. I began looking for services I might be able to exploit and checking file and folder permissions.


Umm,..no_root_squash? I'd like to tell you that I'm some L33t hacker that new exactly what this meant but I'd be lying. This is not the default setting on nfs in linux so I didn't really know what it meant. I actually had to google this setting to find out how bad this is. After a little googling on the meaning of the setting, I now have a plan.

Let's go back to the nfs mount I made earlier.

In my limited shell on the target;

I copy sh to the /tmp folder

cp /bin/sh /tmp/

And now on my local machine in the mounted folder;

cat ./sh > exploit

chmod 4777 exploit


Now back to my limited shell;

./exploit -p


Golden, This is the first time I've ever used this trick...now for flags.

The next flag is in the /root folder, same as the other vm's in this series.


Now to cat /etc/passwd to look for users.

/etc/passwd shows a user named kippo. I don't see a home folder for kippo but doing a locate on kippo shows a folder in the /etc/ directory. Apparently Kippo is a "medium interaction SSH honeypot", according to the readme.md file. I poke through the kippo.cfg file and find another flag;


The 4th flag, as I understand it, is supposed to be something different about orchus than was on sedna or Quaoar. I'll be honest, I'm not seeing it. I've already tried to reach out the creator of this series with a question regarding Sedna but never received a response. I'll "Try Harder" but I'm going to go ahead and port this anyway. If I figure it out I'll update this report.


«Previous   1 2 3 4  Next»
Accessible and Valid XHTML 1.0 Strict and CSS
Powered by LifeType - Design by BalearWeb