Please note this challenge does not require SSH brute forcing.

Use your skills to access the user and root account!

This room is part of the Turmoil series

Here is a machine information

Title Madness
Difficulty Easy
Point 60
Maker optional
Infor This is a free room, which means anyone can deploy virtual machines in the room

RUSTSCAN, Enumeration and Gathering Information

Normally, i will use the rustscan as scan the host and gathering machine information

rustscan -b 500 machine-ip -- -sv -sC -A

-b : the batch size for port scanning, it increases or slows the speed of scanning. Depends on the open file limit of your OS. If you do 65535 it will do every port at the same time. Although, your OS may not support this [default:4500]

-sV -sC -A: it is Nmap custom flag when rustscan run nmap. </em>

It will take few time to scan:


We got 2 open ports recently includes 22, 80. as the title of machine that not brute forcing for SSH service.

Let’s view at port 80. There is Apache2 web server. As normally, i will do the gobuster to check what is hidden in the application or not. but it take a lot of time. And nothing interesting in the end. I try to look at page source and saw it: gs1

Downloaded it and using exiftool for further informtion.


it seems the jgp extension but the MIME type is png. Let’s change the signature via Hexeditor. I am using this site to change signature.

Changed it via Hexeditor


Saved and check. Now we have the hidden resouce url.


Go to the hidden url:


We need to enter secret thing some place. but we don’t know yet. View page source again, we got the hint:

It’s between 0-99 but I don’t think anyone will look here

The secret thing is between 0 to 99. But we don’t know where to put the secret thing and aslo what is the name of param. I tried to put it after slack like /99 but it’s not. And i tried as a param like this ?secret=99. Boom!!! the secret is reflect to html.


Now i need to loop it using burp suite tool. Using intruder and sort with length we have the number.


From this number we got the secret word. But i don’t where to user again. I back to image in the very first. Using steghide tool to check what the thing is hiden or not.

i run and it ask for passphrase. Enter secret and got the hidden message.

TO check info:

    steghide info thm.jpg

To extract the hidden file.

    steghide extract -sf thm.jpg


Now we have the username of ssh in the hidden.txt. but the user have encoded. Let go to to check what kinds of encoded.


it was ROT13 encoded. Let find the password. As in the title, we can not brute force for ssh password. it may be very secure and it should be hidden some where. I am stucking for long time and decide to read the hint from

Oh got he hide the password in the very begin of room. Download and got the password.

steghide extract -sf 5iW7kC8.jpg


Just hit enter at passphrase. Now we can access into machine via ssh. We got the user flag.

Time to get root.

Privilege Escalation

As ussually, i check sudoer file but user can not run sudo on the system. I check SUID via

find / -perm /u=s 2>/dev/null


there is screen-4.5.0 with suid. I try to google wwhat it is.

Change to tmp directory, crate and copy all bash script from exploitdb. Then provide permission for it.

chmod +x


wait for the script run. Then we got root.


and finally, we got the root flag at /root/root.txt

Happy Hacking!!!