Tuesday, January 25, 2022



- Layout for this exercise:


- The goal of this exercise is to develop a hacking process for the vulnerable machine EVM, from the VulnHub pentesting platform.

-  EVM can be downloaded from here:,391/

- Once downloaded EVM and extracted with VirtualBox:


- netdiscover helps to find EVM's IP

- Scanning with Nmap:

- Browsing the web server there is a message about a wordpress vulnerable webapp:


- WPScan discovers plugins and users at Wordpress, for instance user c0rrupt3d_brain:

- Again WPSCan, now in combination with wordlist rockyou.txt, discovers credentials c0rrupt3d_brain:24992499

- Metasploit exploit wp_admin_shell_upload helps to trigger a shell, by setting c0rrupt3d_brain:24992499 as parameters:

- Running the exploit a Meterpreter session is opened:


- Looking for folders and files we find root3r:

- Inside root3r there is a text file .root_password_ssh.txt where we can find the password willy26:

- However it is not valid to SSH as a root:

- Trying another way, to switch as a root from the Meterpreter session we need a shell:

- Improving the shell:

- Now a root shell is achieved:


- Finally, reading proof.txt:

Wednesday, January 19, 2022



- Layout for this exercise:

- The goal of this exercise is to develop a hacking process for the vulnerable machine RickdiculouslyEasy, from the VulnHub pentesting platform.

RickdiculouslyEasy can be downloaded from here:,207/

- Once downloaded RickdiculouslyEasy and extracted with VirtualBox:

- Description of the virtual machine says that there are 130 points worth of FLAGs available:

- Searching for IP

- Scanning with Nmap:

- Exploring FTP server we find that there is Anonymous login allowed:

- A 10 points FLAG (10/130) is available:

- Scanning port 22 we don't find nothing special:

- Another 10 points FLAG (20/130) is available just by scanning port 13337:

- Scanning port 9090 we find a web server:

- Browsing the server at port 9090 we find a 10 points FLAG (30/130):

- Scanning port 60000 suggest the presence of a reverse shell available:

- Connecting to the port 60000 with NetCat we discover a 10 points FLAG (40/130):

- Scanning port 80:

- Dirbusting port 80 we find robots.txt and passwords:

- robots.txt points to two cgi scripts:

- Going to webpage passwords:

- Reading a 10 points FLAGS (50/130):

- Also, there are directions for a password that could be hidden:

- Just viewing the source we find the password winter:

- First cgi script is under construction:

- Second cgi script leads to a tracer:

- Trying to run commands at the tracer, it works with id:

- cat and more provide /etc/passwd, where we learn about users RickSanchez, Morty and Summer:

- Scanning port 22222, it  is a SSH server:

- Trying credentials morty:winter access is denied:

- Trying credentials Summer:winter it works:

- Another 10 points FLAG (60/130) is available:

- Unfortunately user Summer does not have sudoer privileges:

- Looking for files into /home:

- Morty has interesting files inside his home folder:

-Transferring Safe_Password.jpg and from RickdiculouslyEasy to Kali:

- Transfer is successful:

- Applying command strings over the picture Safe_password.jpg we discover password Meeseek, needed for opening

- Unzipping with password Meeseek we find a 20 points FLAG (80/130). It says that the flag 131333 could be a safe password, and interesting hint for later:

- Now, let's explore user RickSanchez's home folder:

- There is the executable file safe:

- However it's not possible to run it:

- Let's transfer safe to Kali:

- Running ./safe, it seems some argument is needed:

- Inputing flag 131333 we discover a 20 points FLAG (100/130 points). Also, some directions to find RickSanchez's password:

- The other folder does not contain flags:

- So let's try to apply hints found before for RickSanchez's password:

- First of all, we are able to find information about RickSanchez's band just by using Google:

- Now, taking the 3 words of the band (The, Flesh, Curtains), and applying crunch:

- Joining the three files into one:

- Applying Hydra to user RickSanchez and passing ps.txt for passwords at port SSH 22222, we find the new password P7Curtains:

- SSH-ing with credentials RickSanchez:P7Curtains is succesful:

- It happens that user RickSanchez has (ALL)ALL sudoer privileges:

- Getting a root shell:

- Reading the last 30 points FLAG (130/130):