Skip to main content

Vulnhub IMF 1 – Boot2Root

Author: 5k33tz

The VM for the CTF challenge is located at,162/
IMF is a intelligence agency that you must hack to get all flags and ultimately root. The flags start off easy and get harder as you progress. Each flag contains a hint to the next flag. I hope you enjoy this VM and learn something.
I started off with an nmap scan for to get a lay of open ports:
nmap -p 1-65535 -T4 -A -v
Nothing too interesting, except port 80/tcp open.
On the “Contact Us” page we’re able to see a couple employee emails:
Roger S. Michaels – Director
Alexander B. Keith – Deputy Director
Elizabeth R. Stone – Chief of Staff
We find the first flag in the source of the contact.php page:
<!– flag1{YWxsdGhlZmlsZXM=} –>
Decoding the string, we get the contents of flag1:
echo YWxsdGhlZmlsZXM= | base64 --decode
Flag1: allthefiles
Using Flag1 as a reference to Flag2, I start looking at all the files from source, and a particular bunch catch my eye, which also look like Base64.
Appending the strings together, and decoding:
echo ZmxhZzJ7YVcxbVlXUnRhVzVwYzNSeVlYUnZjZz09fQ== | base64 --decode
Which reveals Flag2:
Flag2: imfadministrator
Browsing to bring us to a login console:

Since source seems to be a common theme for this CTF, I check source, and see a nice comment:

Admittedly after trying many brute-force combinations for all of the local emails (with and without the domain), I took a hint on this flag. You don’t know what you don’t know, but I learned something new. Apparently in the PHP strcmp function, it will  Returns < 0 if str1 is less than str2; > 0 if str1 is greater than str2, and 0 if they are equal.
Furthermore, attempting to compare a string to an array will return NULL, and in this case will allow a login bypass, and spit out the flag.
So, using burp and changing the POST data for the password field from:

Shoutout to reedphish for their write-up on this flag, and helping me learn something new (
Flag3: continueTOcms
As the flag suggests, I click on the IMF CMS link and continue to CMS.
By the looks of the URL structure, my first inclination would be for a possible SQL injection:

Since this is post-auth, I will use sqlmap with my new cookie, and attempt to enumerate the databases:
sudo sqlmap -u '
pagename=home' --cookie 'PHPSESSID=je70kk8bmq1fb8n6kh8oger6k5' --dbs
This confirms my suspicions of injection as a vector, and shows the available databases:

Since the admin database is the most interesting looking, we will dump it with the following command:

sudo sqlmap -u '' --cookie

'PHPSESSID=je70kk8bmq1fb8n6kh8oger6k5' --dbs --dump admin

This produces a new image we haven’t seen before:

Scanning the QR code, reveals flag4{dXBsb2Fkcjk0Mi5waHA=}
Flag4: uploadr942.php
Browsing to our new upload page, we’re presented with an option to upload a file:

My first theory is to upload a php webshell, but attempting to upload php, exe, and txt files, results in “Error: Invalid file type”. After trying many different file types, I was able to upload image files. My initial thoughts next brought me to find a way to insert a php cmd shell in the image, as I learned how to do this by tainting log files in OSCP. This is where I started falling flat and getting stuck, so I got a little push from another write-up. Kudos to the first person to figure this out, although you can upload any image type, you’re only able to use the php cmd shell with gif’s. So I inserted the php cmd shell in the .gif file, and uploaded it.

An interesting note, if you inspect the element after a successful upload, there is a unique hash in the comments.

In other write-ups they were able to deduce that the image is uploaded to /imfadministrator/uploads/HASH.extension
So if I navigate to:
I can see the header of the gif file. And more importantly can send commands to the shell, for example:

Will give me a directory listing. And I can cat out the flag in this directory:

Flag5: agentservices


Popular posts from this blog

Emotet Downloader Write-Up

This write-up is for a macro embedded doc used as a downloader for Emotet. Author: 5k33tz MD5: 43d2a3df73fdcb10b9429a480d96ddcf This sample first came to my attention by way of an alert for a download from an Emotet related URL. Looking at the PCAP I see a GET request to After grabbing the file from the source and hashing it, I realized there were already 21/44 detections on VT. So I wanted to do some manual analysis to strengthen my skills and see how this sample works. Running file against the sample: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Arorupyzheh-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Sat Aug 25 00:31:00 2018, Last Saved Time/Date: Sat Aug 25 00:31:00 2018, Number of Pages: 1, Number of Words: 3, Number of Characters: 21, Security: 0 We can see it's a Word Doc, but probably the

IceCTF 2018 - Picasso [Forensics]

Forensics – 1. Picasso Author: 5ynax and Valrkey Worth:  $150 Description: The challenge involved a GIF that we needed to extract a message from. So, for this challenge, we had two ways that we solved it at almost the same time. We have the long (5ynax) way and we have the fast (valrkey) way. The Long Way In the long way, I decided to extract each frame of the automated GIF and then import them into GIMP to layer them on top of one another. I used an online tool to get all of the frames, there was a lot of them, I used After I got the frames split up, I downloaded them and moved them to my box with GIMP ready for analysis. I later learned that I could have just imported the GIF into GIMP directly using the open as layers routine, but that's neither here nor there. For each layer there is an Alpha Channel. In GIMP under the colors menu, you can select the Color to Alpha Routine to get this box: This allows you to choose a color an

IceCTF 2018 – Anticaptcha [Miscellaneous]

Miscellaneous – 2. Anticaptcha Author: valrkey Worth: $250 Description:  Wow, this is a big captcha. Who has enough time to solve this? Seems like a lot of effort to me! As you can tell by the tiny scroll bar, there were a large number of questions (609) to be answered. To make things more difficult, each time the question was visited, the order and numeric value would be randomized. The questions generally followed one of three formats: What is the # word in the following line: ...? Is # a prime number? What is the greatest common divisor of # and #? For each of these question formats, I wrote a PowerShell function to determine the answer. Word in Line This function takes in the INDEX of the word requested and the LINE to take the word from. I added a line word length check just in case the IceCTF staff are jerks and give a too-large index. Everything should be accounted for the after mapping the 1st word" to the 0th array index and getting rid of any