VulnHub’s Unknowndevice64:A Walkthrough

Unknown64 is a Linux machine, created by unknowndevice64, hosted on VulnHub

Let’s start exploring this box


netdiscover the IP
Nmap Scan on the target gives us:-

Only Elite service is open
Elite-A term given by hackers

Heading to,we found that it hosts a website

We downloaded the key gif file. Running exiftool did not help

Running dirb on http:31337 did not give any results
Well, we are not able to see the red text

We saw a file named key_is_h1dd3n.jpg.I assumed that it was the image we downloaded earlier.

Let us try it as a directory path. We get an image:-

There is no page source for this
Downloaded the image and ran an exiftool scan.No dice.


Tool to be used-steghide. Steghide tries to find hidden data inside text documents and images

Command-steghide extract -sf <Filename>key_is_h1dd3n.jpg
It asks for a passphrase-We enter ‘h1dd3n’

It extracts a file named h1dd3n.txt-Catting the file gave:-

This pattern is a brainfuck encoded string
We want to convert it to cleartext. We use this

Upon converting the sequence to cleartext, we get

It seems to be the credentials for ssh

Gaining and maintaining access

We login via ssh, with port 1337(-p 1337)

We tried sudo su, retrieving the bash history of users. These did not yield anything.

Step-Go to vi editor.Exit it by

This was a restrictive shell, not allowing us to execute normal commands.
We get bash shell bash4.4

We need to export “/bin/bash” as SHELL environment and /usr/bin as a path variable

Commands-export SHELL=/usr/bin:$SHELL
export PATH=/bin/bash:$PATH

Upon typing command-sudo -l, we get that user64 can run usr/bin/sysud64.
Upon running it, we get:-

Tip-Gain more information about this file/process
Command-sudo sysud64 -h |less

It seems to be a version for starce command

Knowledge Nugget
Strace command-Useful for troubleshooting problems,in CLI,in Linux.It captures all system calls made by processes and signals recieved by processes

Privilege Escalation

Since sysud64 can be run as a root user and is running the strace command, we can spawn a root shell, using sysud64

Command-sudo sysud64 -o /dev/null /bin/sh

We go to the root folder and gain the flags


Well, you have it now!

What I learned:-

  • Brainfuck obfuscation
  • Usage of Steghide tool


  • This is a machine of medium difficulty

Thanks for reading this blog entry and making it till here. Until then, there must be some vulnerable boxes, for me to pwn out there……




