hackNos ReconForce walkthrough vulnhub CTF

hackNos Reconforce Walkthrough Vulhub CTF Machine is create by Rahul Gehlaut

Download hackNos: ReconForce VM here

Today we are solving hackNos ReconForce is Created by Rahul Gehlaut


Our First Step is a network Scanning Finding our target IP address Today I use netdiscover for All network scanning

After finding our target IP address Our next step is to scan our target with Nmap.


we see the Nmap scan target machine three-port are open 21/ftp, 22/ssh, and 80/http service and the target is allowed, anonymous user login

FTP login

I go to ftp login and connecting with ftp username and ftp password and ls command to see target directory and the target directory is empty and we see the target ftp banner Security@hackNos

  • username: ftp
  • password; ftp

I try the banner for Troubleshoot login page password field and try command username admin and us successful login with 5ecure page.

  • web username: admin
  • web pass: Security@hackNos

After trying many attempts our target is vulnerable command injection I run the ID command and before our command using ( | pipe ) and hit enter.

our browser is show response next page and we see the target uid and guid.


Without wasting our time I go to create a php reverse shell with msfvenom raw formate and copy a shellcode and paste shell.php file.

Now downloading our shell payload target machine I start our python local server port 99 downloads the payload wget command

before executing our payload I start our msfconsole multi handler payload listener specified lport and lhost

Executing our payload with using pip and type php our shell name

we see the msfconsole window we got a reverse connection target machine now I run the shell command and we see the blank shell now import python3 for proper shell

After enumeration target directory I go to target home directory and see a user recon I am trying to changing our current user shell with su switch user command and try the password 5ecure login page

After loning with recon user I run the ID command and see the user group name we see the user recon with docker group.

Privilege Escalation

I install virtual image ubuntu with docker

After installing our ubuntu image I run the command docker run ( -it interactive mode ) and -v ( verbose ) and our mounting point or our image file name

we see the root shell docker virtual image ubuntu and I changing our directory mounting point /mnt and type ls command to see all file /mnt directory we see the target root directory and our last root flag cat command to open the file

Five86-1 Walkthrough Vulnhub CTF read here

6 thoughts on “hackNos ReconForce walkthrough vulnhub CTF”

  1. Hi, I tried this machine from VulnHub and I have a couple of things to say:

    1 – The banner shows “Secure@hackNos”, not “Security@hackNos”
    2 – You can simply escalate by commanding “sudo su” since in the sudoers file the recon user can do anything as root

    Nice machine 🙂

  2. Rahul – the machine is overall good… one suggestion i have is to disable ssh to force users to go the docker path. I was simply able to bypass 90% of the steps in this walk through by ssh as the user and then sudo -i with the password, hence making privesc way easier than it should have been. Nice work though.

  3. Dear Sir, I am a beginner. I Download it and I install it in VMWare. I am not able to connect his VM.
    I have tried to connect with host-only, nat, and bridged network

Comments are closed.

Exit mobile version