Napping 1.0.1: Vulnhub Walkthrough

5 min readSep 4, 2024

Hey everyone! Here’s a write-up on how I took down the Napping 1.0.1 VM from VulnHub. My objective? Get root access, of course. Let’s walk through the process.

Download Link: napping-1.0.1.ova
Description: Even Admins can fall asleep on the job

Author: Baptiste Billy Nitunga

Step 1: Getting Set Up

To start, I made a directory on my Kali machine to keep all my files organized:

mkdir napping
cd napping

Next, I needed to find the IP of the target machine, so I used netdiscover to scan my network:

netdiscover -r 192.168.4.0/24

With the IP address in hand, I ran nmap to see what services were up and running:

nmap -sS -A -T4 192.168.4.21

Port 80 was open, so I knew I was dealing with a web server. Time to check it out.

Step 2: Exploring the Web Server

When I navigated to the IP in my browser, I landed on a login page. It also had an option to create a new user, which piqued my interest.

Creating a User

Since there was an option to create a new user, I went ahead and registered. I thought this might give me access to something interesting.

After creating a user, I logged in with the new credentials and got access to a basic web page. There wasn’t much going on, but there was an input field that caught my eye.

I was tempted to drop a PHP reverse shell into the input field, but I decided to do some recon first.

Step 3: Digging Deeper

Before trying any injection attacks, I decided to do some directory busting with gobuster to uncover any hidden directories:

gobuster dir -u http://192.168.4.21 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

I found a few interesting directories, including /config.php. Unfortunately, when I tried to access it, all I got was a blank page.

That wasn’t too helpful, so I went back to exploring the application.

Step 3: Finding the Vulnerability

Let’s take a closer look at the /welcome.php. And let’s enter a dummy link to see how the website behaves

Let’s go ahead and inspect the webpage.

Nothing really interesting at a first look, but if we look closely, we notice a very known vulnerability in the link syntax(target=’_blank’) called “tabnabbing”. Click here if you want to learn more.

Step 4: Foothold

Create a login page replica, prompting the admin to input their credentials when they click our link. The post request will then be directed to our machine with a pre-set listener. Let’s get our hands dirty!!!!

This will open a login page replica on port 8000

we also set a web server using the command:

python3 -m http-server 80

We set our netcat listener :

nc -lvnp 8000

To capture data from the POST method in our fake logging page

Now, we paste our link in the welcome page and hit submit

A username and password are acquired, with the latter seemingly URL encoded. The actual password is: C@ughtm3napping123

With that, I got my initial access. Time to see what more I could do.

Step 5: Gaining Access

Let’s try to ssh into the machine using those credentials

No flags are found, but there’s another user named Adrian, who possesses the user flag, albeit without sufficient privileges to view it. There are also intriguing files like ‘Site_status.txt’ and ‘query.py’. It seems ‘query.py’ checks the website’s status and records it in ‘Site_status.txt’(A cron job). What if we replace the code that performs this task with a reverse shell, granting us access to Adrian’s shell?

Step 6: Privilege Escalation

Note: The query.py script should only be run by Adrian or an automated process, as Adrian is the script’s owner. Running the script as Daniel will result in using Daniel’s shell instead, which is not desired.

I modified the script to execute a reverse shell, and when the script was triggered, I gained shell access as Adrian.