HackmyVM: forbidden write-up

3 min readNov 29, 2022


Let’s solve the boot to root machine from Hackmyvm forbidden.

Find the open ports using nmap.

nmap scan to find all open ports

Anonymous FTP login is allowed.

nmap showing anonymous FTP login is allowed

I logged in into FTP using anonymous login and found 3 files: index.html, note.txt and robots.txt

contents of index.html
contents of note.txt

Same files are discovered during enumeration using gobuster, so this means that we can put/write our files on web server.

gobuster showing index.html,robots.txt and note.txt

I tried uploading files with .php extension, but when I tried to access the files from browser, it is not executing the files and I am unable to get the reverse shell. Then I tried extension .php3 it did not work. Then I uploaded a backdoor file with .php5 extension which works for me.

I started the netcat listener on my localhost and got the reverse shell.

payload to get the reverse shell
obtained the reverse shell on kali

From index.html we have potential username “marta”, and in note.txt it is also mentioned about the image files which might contain the password for the user. So I searched for the .jpg file on the machine.There is a file called “TOPSECRETIMAGE.jpg”

I transferred this image on my local machine using nc.

I run exiftool to see if it contains any hidden data also used strings on it, but all this is of no use. Then after some time I tried the image name as password to login as marta. I am able to login as marta.

able to switch user to marta

Used sudo -l command to see what marta user can do on the system

sudo -l result for marta user

As per gtfobins, we can read files using join, lets try to read /etc/shadow file.

reading /etc/shadow using join command

Let’s copy all the hashes on the local machine and user hashcat to crack it with rockyou.txt

hashcat for cracking the hashes

It gives me the password for the peter.

peter’s password
switched to user peter

The sudo -l shows, peter can run setarch command without password.

According to gtfobins we can run commands with setarch.

privilege escalation using setarch command