walkthrough hackable II vulnhub writeup

Hackable II Walkthrough – Vulnhub – Writeup

Hackable II is an easy machine that everyone can root. So, I am doing this walkthrough if you are stuck somehow. Also, I am trying this machine on VirtualBox. “Hackable II Walkthrough – Vulnhub – Writeup”

Link to the machine: https://www.vulnhub.com/entry/hackable-ii,711/

Walkthrough of Cap from Hackthebox

Identify the target

Firstly, I had to get the IP address of the target machine.

sudo netdiscover -i eth0 -r

My IP address is whereas that of target is

Scan open ports

Now that I know the IP address of the target machine, I have to scan open ports so that I would know the exposed services.

nmap -T4 -sC -sV -p- --min-rate=1000 -oN nmap.log

As we can see above, we have an FTP server that has allowed anonymous access. Likewise, nmap also displays the filename. So, I am going to look at the file first.

cat CALL.html

It doesn’t say anything right now.

Enumerate web server

Since the FTP server didn’t hinted anything on its own, I did directory enumeration.

gobuster dir -u -x txt,php,html --wordlist /usr/share/seclists/Discovery/Web-Content/big.txt -o gobuster.log

Clearly, there is a directory that I could take a look into.

So, it looks like the directory ‘files’ is served on FTP server. Thus, if I could place a webshell in the FTP server, I could execute it using the web browser.

Inject a reverse shell

I would use a web shell from pentestmonkey. Since I am on kali linux, I have this in the directory ‘/usr/share/webshells/php’. Otherwise, you can take a look at the following link.


Now, I changed the IP address and port. Then, I listened at the port.

nc -nlvp 4444

Once again, I opened the ftp client and tried to put the shell in there.

put shell.php

As we can see, the FTP server had write access. So, I could write on the directory which is being served by the FTP server. As I know the directory, I directly opened the shell from my browser.

Like this, I got the shell. I did a few tweaks to make it smart.

SHELL=/bin/bash script -q /dev/null
export TERM=xterm
# do Ctrl + Z
stty raw -echo;fg
stty cols 143 rows 43

Get user’s access

My next step would be getting access to one of the users of the machine. So, I looked up the users first.

There is a user named shrek. Hence, either I need to get the credentials of shrek or get a way to enter his shell without a password.

So, I found a file in the directory /home.

cd /home
ls -al
cat important.txt

So, I looked at the content of the script file.

ls -l /.runme.sh
cat .runme.sh

The author had tried to troll us but I escaped his trolling. However, on the bottom of the file, there is something that interested me.

It is an md5 hash of something. Thus, I went to crackstation to crack it.


The hash was of the word ‘onion. This word was also present on the file CALL.html.

Hence, I gave it a shot as the password of the user shrek and that worked as well.

su shrek

Finally, I got the user’s flag.

Get root shell

We came to the last bit of the challenge now. Basically, in this stage, I first check SUID binaries, sudo permissions and binaries with capabilities.

sudo -l

When I checked the sudo permissions, the user shrek doesn’t require a password to execute commands as root. Now, we can get a shell of the root user using this binary.

Reference: https://gtfobins.github.io/gtfobins/python/#shell

sudo python3.5 -c 'import os; os.system("/bin/bash")'

Lastly, I got the root flag.

cd /root
ls -al
cat root.txt


Like I said during the start of the walkthrough, this is a very easy machine to do the challenge. Hence, I recommend this to very beginners into the CTF challenges. You guys can also recommend this post to someone who wants to start with very basic challenges.

5 2 votes
Article Rating
Notify of
Inline Feedbacks
View all comments