How to root DX1: Liberty Island – THM – En

Can you help the NSF get a foothold in UNATCO’s system?


DX1: Liberty Island is a medium level CTF proposed by TryHackMe .  The web enumeration is instructive in that you have to create your own wordlist. The privilege escalation is a bit complex. It is a good CTF to progress. 


Command :

nmap -T5 -p- -sVC

There are 3 open ports:


80 – HTTP –

5901 -VNC-

23023 – HTTP – UNATCO Liberty Island – Command/Control


WEB enumeration on port 80

In the robots.txt file, NMAP shows us the presence of the /datacubes directory. When we go there, the site redirects us to this new URLhttp://


According to the information displayed, these appear to be archived messages. Let’s see if there are others. To do this, with Gobuster, we will parse the archives by going to the /0001 page and then /0002.

Création d’une liste de numéros :

I did this with Excel to save time from a Windows PC. In a text format cell, you have to put 0000 and pull (+) up to 1000.

Then you have to copy the column in the Notepad, then copy-paste its content in a file under Kali which will then be used with Gobuster.

Démonstration en vidéo

Commande :

gobuster dir -u -w num.txt

We have 6 results. I let you look on what is on the others. I’ll go straight to the last /0451…the most interesting…


It is explained that the VNC login on jacobson’s machine is composed of “smashthestate” with a hmac’ed key which is present in the “bad actor” list, all converted with the MD5 hashing algorithm.

Bad Actors

The list can be found on the website at this URLhttp://

The only indication for the username are the initials JL. In the “bad actor” list, the only name with his initials is jlebedev


Création du mot de passe VNC

The website us to calculate the hash of the password.

Only the first 8 characters should be taken.

Initial foothold - VNCVIEWER

Command :


Once connected, there is a badactor-list executable on the desktop.

Execution badactor-list

We will run this application to see what happens.

The app does 2 things. It synchronizes at the address http://UNATCO on port 23023 and once the connection is established, it seems to retrieve the list of Bad Actors.

Recovery of badactor-list locally on Kali.

Setting up a web server with python

Command :

python3.8 -m http.server

Recovery on Kali

Command :


Wireshark and Buprsuite

With the help of Wireshark, we will see what is happening at the network level. You must first modify the HOSTS file, so that the application connects to the right place and therefore retrieves the bad actors list.

Once the capture is finished, we will use the http filter to eliminate all frames linked to VNC.

To see the http request in detail, right-click on it and follow http stream.

In the window that is displayed, we retrieve the communication between Kali and the UNTACO server. We can see that there is a directive command that performs a cat on the file badactors.txt on the URL UNATCO:23023

We will retrieve this query and rerun it with BurpSuite

Access to URL :23023


Intercepting the request with BurpSuite

Renvoi de l’interception dans Repeater et y copier la requête vu dans Wireshark.

Return the intercept to BurpSuite and copy the request seen in Wireshark there.


We can see that we are recovering the list of bad actors.

By changing the cat command to the id command, we can see that we have root rights.

Escalation of privilege

The rest then is simple. There are several methods to gain root access.

Command :

Directive : cp /bin/bash /tmp

Directive : cd /tmp

Directive : chmod 7777 /tmp/bash

Then you have to go back to the VNC console, and go to the /tmp folder via the file explorer and run bash through the terminal.

Command :

./bash -p


That’s all folks

Thank you for taking the trouble to come to the site to read this Write Up

I hope you found it useful and that it taught you some new things.

Feel free to leave a comment or share this article.