trust is a Very Easy DockerLabs machine that chains three foundational techniques: web directory enumeration to discover a hidden PHP page leaking a username, SSH credential brute-forcing with Hydra to log in as that user, and aDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/V0rt3xS0urc3/RedTeam-Portfolio/llms.txt
Use this file to discover all available pages before exploring further.
sudo vim misconfiguration to escalate directly to root. It is an excellent starter machine for practising the full end-to-end workflow — from passive web footprinting all the way to a root shell.
Machine Info
| Field | Details |
|---|---|
| Difficulty | Very Easy (Muy Fácil / Súper Fácil) |
| Category | Hacking Infraestructura |
| OS | Linux |
| Key Techniques | Web enumeration, Gobuster, Hydra SSH brute force, sudo abuse (vim) |
| Default Target IP | 172.17.0.2 |
Phase 0: Launch Kali Portable
Open a second terminal and start your Kali Portable environment:Phase 1: Deploy the Machine
Downloadtrust.zip from DockerLabs. In your first terminal:
auto_deploy.sh— Bash script that launches the containertrust.tar— The vulnerable Docker image
Phase 2: Reconnaissance
Nmap Service Scan
Scan with version detection and default scripts:
Findings:
Two services — a web server and SSH. The web server is the entry point.
| Argument | Meaning |
|---|---|
-sC | Runs default NSE scripts |
-sV | Detects service versions |
--min-rate 5000 | Fast rate, suitable for isolated lab use |
| Port | Service | Notes |
|---|---|---|
| 22/tcp | SSH | Encrypted remote access |
| 80/tcp | HTTP | Apache2 web server |
Phase 3: Web Enumeration with Gobuster
The default Apache page is a dead end, but hidden files may exist beneath the surface. Use Gobuster to brute-force paths:| Argument | Meaning |
|---|---|
dir | Directory/file brute-force mode |
-u http://172.17.0.2 | Target URL |
-w common.txt | SecLists common web paths wordlist |
-x .php,.txt,.html | Also probe for these file extensions |
-r | Follow redirects automatically |
--exclude-length 10701 | Filter out false positives with this response length (the Apache default page) |
-t 100 | 100 threads for fast enumeration |
The
--exclude-length 10701 flag is essential here. Without it, every 404-equivalent path returns the default Apache page with a 200 status code and a content length of 10701 bytes, which would flood the results with false positives. Identify the false-positive length from any non-existent path, then filter it out.http://172.17.0.2/secret.php in your browser. The page displays a simple message:
mario.
Phase 4: SSH Brute Force with Hydra
With a username in hand, attempt SSH login. Enteringssh mario@172.17.0.2 and hitting enter confirms the username is accepted — the server responds with a password prompt rather than rejecting the user outright.
Since this is a Very Easy machine, the password is likely near the top of rockyou.txt. Extract only the first 1000 most common passwords to speed up the attack significantly:
| Argument | Meaning |
|---|---|
-l mario | Known username |
-P top1000.txt | Trimmed password list (top 1000) |
ssh://172.17.0.2 | Target |
-t 4 | 4 threads |
chocolate.
Phase 5: SSH Access
Log in with the discovered credentials:mario.
Phase 6: Privilege Escalation via Sudo + Vim
Enumerate Sudo Permissions
The first thing to check on any Linux box after gaining a shell is what Output:The user
sudo permissions the current user has:mario can run vim as any user (including root) with sudo. This is a well-known privilege escalation path documented on GTFOBins.Escalate to Root via Vim Shell
Use the GTFOBins
Vim opens with root privileges and immediately drops you into an interactive
sudo shell escape for vim — option sudo → Shell → a:| Part | Meaning |
|---|---|
sudo vim | Launches vim with root privileges |
-c ':!/bin/sh' | Passes a vim command that executes /bin/sh as a shell |
/bin/sh shell running as root.Post-Lab Cleanup
PressCtrl+C in the deploy terminal to stop the container. Type exit to leave your Kali Portable session.
Key Takeaways
Never Expose Information in Web Pages
The
secret.php page handed us a valid username — the pivotal piece of information needed to attack SSH. Even innocuous-looking pages can leak critical data. Avoid displaying usernames, email addresses, or system names in web responses.Targeted Wordlists Save Time
Instead of running the full
rockyou.txt (14 million entries), using the top 1000 reduced the brute-force time from potentially hours to under 30 seconds. Tailor your wordlist to the context: Very Easy machines almost always use common passwords.sudo Editor Access = Root Access
Allowing
sudo on text editors (vim, nano, less, more) is functionally the same as granting a root shell. If a user needs to edit a specific config file as root, use sudoedit with a path restriction instead of granting full editor access.GTFOBins Is Your Friend
GTFOBins catalogs shell escape techniques for dozens of binaries. During any CTF or engagement, if
sudo -l returns an editor, compiler, interpreter, or file manager — GTFOBins likely has a working escalation path ready to use.