Vulnhub Pylington: 1 Write-up!!

Hi, hope you are well and healthy. This is the write-up for the Pylington-1 vulnhub machine.

If you want to solve this machine you can download it from here.

Vulnhub Pylington-1

Let’s begin with finding all open ports on the machine using nmap.

nmap: finding open ports

Now lets find the services and their version on port 22 and 80.

Service version

As we can see, there are 3 disallowed entries in robots.txt When we visit the port 80, below page in opened in browser.

port 80

Robots.txt entries:


When I tried to visit, /register page, I got the message that currently we are unable to register.


Then I visit “/zbir7mn240soxhicso2z”, I got the username and password.

When I logged in, I got redirected to below page.

As it says, it is a Super Secret Python IDE and it also mentioned it uses sandbox. Just to test the IDE, I used print command which worked with no issues. Then I used “__import__ (‘us). system (‘ls -la’)”, I got below message.

Then I searched for “NoImportOS Sandbox code executoin BYPASS”, got below result

I used below payload:

Payload in hexadecimal:




We have code execution, then I used nc to get reverse shell.

Final Payload:


Started the netcat listener on port 443 on attacking machine and execute the above payload, got reverse shell.

As we see, there is a file named “typing” with suid bit set.

Road to user py:

I execute the “typing” file and got the password for use py.

Using above username and password I SSH into the box.

user flag

In the py directory, there is a directory called secret_stuff which has couple of files. The backup has a suid set and it is running with root permission

Source code for backup.

The backup append the line to the file in the directory /srv/backups/. If we want to become root, we can add user with root permission in the /etc/passwd file, but the source says it should be in /srv/backups/.

Lets first create a password for the username using openssl.

both username and password are rootit

We need to append below line to /etc/passwd file:


Able to append the line into /etc/passwd

Lets try to login with it.We are now root on the box.

root flag.

Hope you like the write-up…stay home stay safe.