Chili Vulnhub Walkthrough

In this article, we are going to solve another boot to root challenge called chili. this is an easy level box. this VM is hosted on the vulnhub server. you can download here this box

Network Scanning

Let’s discover the target IP address by using Nmap ping scan.

In my case my target IP address is 192.168.43.53 and our next step is to scanning all ports and running the services.

our scanning is complete and Nmap discovers two open ports 21/FTP and 80/HTTP running apache httpd server.

Enumeration

Let’s navigate the target IP address on the browser.

After checking page source and try some stenography trick but we couldn’t found anything useful. then we starting brute forcing on port 21 FTP using hydra tool.

It takes a minute and hydra discover a valid username and password for the FTP server let’s log in with FTP using these credentials.

Now we login we chili user we move the Apache home directory and we run the dir -a command and we found hidden directory .nano and our current user have full permission this directory here we put our php reverse shell.

our shell is upload successfully but our shell hasn’t executed permission let’s change the permission our reverse shell.

Now we start our net-cat listener and using the curl command we execute our reverse shell by navigating our reverse shell directory.

Privilege Escalation

Privilege escalation of the machine very easy we have read-write permission of the passwd file. now first we generate a password hash for our new user and using the echo command we add our new user passwd file. and we switch the shell by using the su command.

more about Passwd file privilege Escalation you read the article.

and we have a root shell target machine let’s move the /root directory and read our final flag proof.txt