Jordan Infosec CTF 1 Boot to Root VM Walkthrough


Sorry for the long delay in posting – life got a little busy over the past month or two. Today I’ll be posting my write up of how to compromise the excellent Jordan Infosec CTF 1 VM created by @Banyrock

This VM is more at the CTF end of the spectrum than a traditional Boot to Root, but that’s ok 🙂

Let’s get to it!

Host identification and Port Mapping

Let’s start by finding out which host on my network the VM lives on: it is then 🙂 Let’s see what’s running on that host:

Another tiny attack surface, then. SSH and an Apache server! A few interesting things are disallowed in the robots.txt file, including a “/flag”.. Sounds like our first flag!

HTTP Server

Navigating to the website’s homepage yields this form:

Nothing in the HTML gives anything away either and the form isn’t vulnerable to SQLi / didn’t fold under a quick brute force. Let’s see what /robots.txt contains:

Loads of interesting stuff here. Let’s go and take a look at /flag and hopefully get our first flag:

As expected, our first flag.. too easy! Now we manually enumerate all of the other endpoints referenced in the robots.txt file.

/backup, /admin, /r00t, /uploads all yield a 404 error, /uploaded_files yields a blank screen but /admin_area gives us something interesting in the HTML:

How convenient… The credentials were hiding in the HTML. Along with our second flag file 🙂

Let’s chuck those credentials into the login page and start looking for our third flag.


After logging in we see a file upload page. Let’s see if we can upload a web shell and get our first shell on the box.

First step, create the shell:

Second step, upload the shell.

Third step, start the meterpreter listener.

Fourth step, navigate to /uploads

Fifth step, shell!

Now’s the hard bit, escalating from where we are to root.


With our new fancy shell, running “ls” in the root of the web directory shows a file named “hint.txt”. Catting that file yields this output:

So that’s good news, we have another flag and a hint for where to find the next user!

After…50?… greps and finds where I tried to look in only hidden files I eventually gave up and grep’d the entire disk for a file containing “technawi”:

Line 3 looks interesting! Not a hidden file though, so my initial attempts to only find hidden files didn’t work :@

Credentials.txt contains:

Yey! Now we can ssh in and get the next (final?) flag!

After SSHing in as technawi and catting /var/www/html/flag.txt we get:



Great VM. Really good fun, quite straight forward to compromise. The hardest bit was finding technawi’s credentials, but it was worth the perseverance!

Add a Comment

Your email address will not be published. Required fields are marked *