thoth tech walkthrough writeup vulnhub security

Thoth Tech Walkthrough – Vulnhub

Thoth Tech is one of the easy machines from Vulnhub. Unless you are doing machines for the first time, you can definitely pawn this target. As usual, I am trying this machine on VirtualBox, and it works. It just took me about 5 minutes to get to the root shell. Let’s begin “Thoth Tech Walkthrough – Vulnhub”.

Link to the machine:,734/

AdmX 1.0.1 Walkthrough – Vulnhub – Writeup

Find the IP address

First of all, we have to look for the IP address of the machine. There are live hosts detection tools like fping, netdiscover, nmap, etc. for this purpose.

fping -aqg 10.0.0/24
The IP address of the target

Look for the exposed services

The next thing is that we have to identify the exposed services on the target. We can do this by using Nmap.

sudo nmap -v -T4 -p- -A -oN nmap.log 
Nmap scan results

We can see from the results that we have anonymous FTP access. Likewise, we also see a file note.txt.

Log into the FTP server anonymously

I use the lftp as an FTP client as it is more feature-rich than the default client.

lftp -u anonymous,
Note.txt from the FTP server

We get a possible username from the note. Similarly, it also suggests we perform a bruteforce on password as it is very weak and trackable. In these cases where both FTP and SSH services are open, I prefer cracking the FTP password and reusing it in the SSH service. This is because SSH servers impose restrictions on bruteforcing, i.e. they limit the requests.

hydra -l pwnlab -P /home/kali/rockyou.txt ftp
Cracked the password of the user pwnlab

Now, we can log into the SSH server.

ssh pwnlab@
User shell

Root privilege escalation

Now that we have the user’s shell, we can check the sudo permissions of the user.

sudo -l
the sudo permissions of the user pwnlab

This gives us root access.


sudo find . -exec /bin/bash \; -quit
Root shell

2.7 3 votes
Article Rating
Notify of
Inline Feedbacks
View all comments