Vulnhub:R-temis:1 walkthrough.

Hi all in this walk-through I show how to get root on the box R-temis:1 from vulnhub.

This is rally a simple machine. Let’s start with nmap scan.

nmap showing 80,3306 and 7223 open.

Used dirb for enumerating the directories and files on web.

easy.txt

The contents of easy.txt is below.

+++++ +++++ [->++ +++++ +++<] >++++ +++++ +++++ .++.< +++[- >---< ]>---
---.+ +++++ ++.-- --.<+ ++[-> +++<] >+.< rtemis
+++++ +++++ [->++ +++++ +++<] >++++ +++++ +++++ ++.<+ +++++ +[->- -----
-<]>- --..< +++++ ++[-> +++++ ++<]> +.<++ ++[-> ----< ]>.<+ ++++[ ->---
--<]> ----- ----. <++++ +++[- >++++ +++<] >++.. < t@@rb@ss

So we have rtemis as user and t@@b@ss as password. Let’s ssh using this.

Now we are rtemis user. File ”.bash_history” shows somu user can access the mysql but for that we need password.

I also viewed the contents of .mysql_history and it gave me root password. Let’s try it.

.mysql_history file

I used the password mentioned for root and I got root access.

Flag:

And that’s it this is a very simple machine no need to brute-force no RCE, only enumeration.

Hope you like the walk-through.