In this post, i would like to share walkthrough on Sustah Room.


This room has been considered difficulty rated as a MEDIUM machine


Let’s Start!


We need to deploy the machine for us to play with the machine


Once the machine is fully up within 3 minutes, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN

Information Gathering on Sustah


There are multiple ports that have been open but the crucial port that caught my attention

  • 22: OpenSSH 7.2p2
  • 80: Apache httpd 2.4.18
  • 8085: Gunicorn 20.0.4

Let’s see what will appear on the website


Nothing that we can do right now. Let’s see a website that uses a different port 8085


Oh wow! There’s a spin button. Let’s click that button and it asks us to input a number and enter.


There are two methods of getting the number and path at the same time.

Enumerate with Burpsuite


We can see that X-RateLimit-Limit has shown on the response output.


Before we proceed, we need to know that the HTTP header has the following method:

  • X-Originating-IP: 127.0.0.1
  • X-Forwarded-For: 127.0.0.1
  • X-Remote-IP: 127.0.0.1
  • X-Remote-Addr: 127.0.0.1

Brute-Forcing the packet via Burpsuite on Sustah Room


Let’s run the intruder function to gain the path and number to proceed


It will take some time for the result to be shown here. We can test whether the number is valid or not by slapping the number on the input column and press the click button


Let’s go to the website path on the browser

MaraCMS RCE


We have Mara CMS appear on the website interface. To be frankly honest, i never use Mara CMS before and let’s google to see if there’s any exploit that we can use in Mara CMS


The first result looks interesting to me and let’s see what has stored for us in the exploit


From the exploit above, I found out that we got the following information that we might be using later.

  • Username: admin
  • Password: changeme
  • http://target/codebase/dir.php?type=filenanew

Let’s find the login page for us to login to the dashboard of Mara CMS. I will be guessing the login page path over here which <IP Address>/YouGotTh3P@th/index.php?login=


An index.php page is compulsory for most website that appears on the internet.


Wuhuu! We got the login page which we need to key-in the username and password to access the dashboard.


I have a breakdown just cracking the username and password for this website. However, i just remember that we are been provided with a username and password within the exploitdb. Let’s us try login using those credentials


Let’s find a location to upload the reverse shell into the machine


Therefore, let’s click File>New and the website interface will look like the below:


It looks like the website has been re-directed to http://target/codebase/dir.php?type=filenanew location. Let’s upload the reverse shell on the website


Before we can go to the file upload location, we need to start a listener


The website has been reloading for some time now, let’s see the listener if got the connection back.

Obtain a Reverse Shell on the machine


We have succeeded in the server environment. Let’s grab the user.txt in /home/kiran


As you can see, we cannot read the user.txt file where permission has been denied.


We need to look for kiran’s password and we can drive to /var/backups where we might find some interesting files there.


We can see the passwd.bak file which might contain the user and password that we needed.


Once again, the file permission has denied for us to read into. Let’s see if there’s any hidden file in the /var/backups


Oh wow! I found .bak.passwd in the folder. Let’s check what’s written inside that file


We have gotten kiran’s password. Let’s switch to kiran privileges access


Once we successfully have login into kiran’s privileges access, we can access to /home/kiran.


Now, we can read the user.txt below


Let’s enumerate more to access as root privileges access


We have executed some commands such as find / -user root -perms /4000 2>/dev/null and sudo -l but didn’t find anything interesting.


As a result, let’s run linpeas.sh into the machine


Now, let’s execute linpeas.sh such as below:


Once linpeas.sh have completed, i did analyze the result and found out that kiran can run rsync


Let’s go to GTFOBins and search for any exploit that we can use

Image for post

Now, let’s execute the command that we found on GTFOBins


The command doesn’t work at all, and we might need to tweak the command for it to work


And we still cannot execute it. So, let’s execute it within /var/backups


We got the bash shell on Sustah Room


Let’s read the root flag within the /root/ directory

-THE END-


Happy Learning Guys!