Vulnhub Writeup — Acid

Hi , My name is Faisal Husaini and this is my writeup on Vulnhub Machines after taking little break from HackTheBox


We first find the IP of the box so that we can do the further work

We see that here our IP is , so we now run NMAP Scan against it


So we run NMAP against the IP of the box

We get only 1 port open which is running Apache httpd which is a Web Service , so now we move onto checking it further


Running the IP on the browser along with the port, we get

We get a webpage which gives us a message “Fairy tails uses secret keys to open magical doors.”

Running Gobuster against it

Also checking the source code , we get

Scrolling down more , we get something interesting

We see a hex code , so we go online to decode it to ascii and get

We see it decodes to a base64 string , decoding futher the base64 string , we see

Moving further to /Challenge directory which we got from Gobuster scan

We get a Login Page , since we didn’t got any type of creds before , so first I go to view its source code

At the doctype section on the very top part , I see a string “gkg.qvpn” which is ROT13 encoded string , so we move onto decoding it

So I used an online tool to decrypt and got its decoded form as “txt.dica” which is in reverse order of “acid.txt” , when checking the txt page on the /Challenge directory , we get

We get a php page named as “protected_page.php” , accessing that

But as we see that /Challenge holds files , so I run Gobuster scan against it

We get many files and directories , we try to access the cake.php file

We see it gives us a message of there is a long way to go , also looking at the header , we see /Magic_Box which might be a directory and its unique to it might got skipped in the gobuster scan , lets try to access it

We get a forbidden error , so we again run Gobuster against it

We get 3 php files and one directory , so I access the command.php file

So this is a pinging page , so we ping to our local machine and see if it really does that

So we get a ping , lets try command execution here

When we try the ls command , we get

We dont see any results , but checking the source code

We do get the results of ls command , so now we move onto getting reverse shell

Looking to our netcat listener

We get our reverse shell back , so now we get a perfect tty shell

So now we move onto getting root , after searching and searching for files and all , we get

A folder named raw_vs_isi which is odd and you know it if you are an Indian :P

So looking futher into it we see a hint.pcapng file , which we can confirm with the file command

So I just copy this file to the web directory so that we can get it to our box and analyze it

Now we get the file to our box

Analyzing the file in Wireshark , we see

Here we see a message “What was the name of the Culprit?

Moving further to other packets , we also see

We see “Saman and nowadays he’s known by the alias of 1337hax0r” , also Saman is a user on this box

So now we try to login the user Saman with the 1337hax0r as password

We got logged in as saman user

Now , we run the sudo -l command and see

We see that we can run all the commands as sudo

So we just run bash as sudo and see

We are now root , so let’s get the flag

If I missed something , please forgive me as I solved this box while suffering from fever