Mhz cxf

A piece of cake machine. You will learn a little about enumeration/local enumeration , steganography. This machine tested on Virtualbox , so i’m not sure about it with Vmware. If you need any help you can find me on twitter @mhz_cyber , and i will be happy to read your write-ups guy send it on twitter too cya with another machine #mhz_cyber This works better with VirtualBox rather than VMware

URL: mhz_cxf: c1f

Difficulty: Easy

Author: mhz_cyber & Zamba


Set up the Machine with a host-only adapter and run a net discover command to find the associated IP. My interface eth1 is Host-Only on my main OS (Kali Linux).

netdiscover -i eth1


We can identify the machine with the IP, so we will scan it for open ports with nmap to a file named “nmap” with the following command:

nmap -sS -p- -A -o "nmap"


To start, port 80 is open so we will investigate this port with a browser.


There is not much to see, this is the default Apache web page meaning there is probably another web page we are not seeing.

Let’s run a dirb scan to discover more paths we can further enumerate with the following command:



One of the results that have been returned is /notes.txt so let’s see what is on there:


This has given us 2 more potential paths to further discover: remb.txt and remb2.txt.

This is the web directory for remb.txt:



This could be a username:password combination that we could try somewhere. As there is not much else to see on port 80, the only other place that could provide a login is ssh.

Remb2.txt is a dead end.

Let’s try connect via ssh to the host with the following command:

ssh [email protected]


There is a successful connection, running id shows we are logged in as “first_stage”.

There is a user flag in the home directory as shown below:

user flag

Privilege Escalation

Before we start trying to escalate privileges, let’s run bash to get an upgraded shell. To find any more potential users to use, let’s see if there are any other home directories in /home.

ls /home


We can actually change directory to mhz despite who we are logged into. This is their home directory:

mhz home

There is a directory named Paintings/ that we can explore. The description of this box mentioned some steganography so let’s copy the files over using “scp”. The command “scp” essentially provides secure copying between different hosts across a network. Read more about this here.

Copy all images over for investigation:

scp [email protected]:/home/mhz_c1f/Paintings/* .

The above command is copying files (path specified after the colon : ) from [email protected] to my current local directory.


The above screenshot demonstrates the files that have been copied from left to right through the secure copying that uses ssh.

Here is a screenshot of the images on my local machine:

images on local

Now that these are on a local machine, we may use all the resources available to investigate these files.

Steganography has been made extremely easy with some useful tools that are already pre-installed on Kali Linux. Read this article about some different tools.

Let’s run steghide on some of the images to see what is returned.

steghide info 'spinning the wool.jpeg'

steg info

The command “steghide info” returns some information about the image and checks if there are any embedded files. After 2 attempts, steghide tells us that there is some more information in spinning the wool.jpeg.

In order to extract this embedded file, use the following command:

steghide extract -sf 'spinning the wool.jpeg'

The parameter -sf indicates a steg file.

steg extract

This has given us a file called remb2.txt. Cat (display the contents) of this file.


mhz_c1f:[email protected]

We now have another username and password combination. Let’s use this to log into mhz_c1f on our ssh session. Change user with the following command:

su mhz_c1f


A successful login. Now let’s check sudo rights to see what we can do to gain root access.

sudo -l
sudo /bin/bash

sudo l

We can run all commands with sudo rights. If we run /bin/bash as sudo we will be changed to root as shown above.

And we have our root flag in /root:



Written on May 14, 2020