These are sort of machines that you get on HackThebox/TryHackMe/Vulnhub. You get an IP and then you just start with Nmap and find your way to become a root user. These actually helped me get my OSCP.

Making boot2root

Making boot2root

General notes


$ cp nuseradd /usr/local/man/man8/nuseradd.8
$ gzip /usr/local/man/man8/nuseradd.8
$ man nuseradd

Python script to binary

Fixing interface name

Add a new user:

sudo adduser <username>

Setting up FTP server

Edit /etc/issue

To be able to display the IP of the machine right when it starts you can edit /etc/issue

IP: \4{eth0}

This only display the IP and if you want something else you can add that too like the name of the machine or something else.

Setup Wordpress

The best thing is to follow this article

Make sure to verify which is the latest version for PHP and wordpress.

Setting up virtual hosts on apache2

ServerAdmin webmaster@localhost
DocumentRoot /var/www/sites     

here when someone try to visit then the apache will use files from /var/www/sites else for other domain/IP it will use the default configuration.

a2ensite <name-of-the-conf-without-extension>

Ex: a2ensite mehtab - where configuration file name was mehtab.conf

Setting up Postgres

To install postgres on ubuntu you can run:

sudo apt install postgresql

After that you can login as postgres user and create DB or add users.

create database <DB_NAME>;
create user <USERNAME> with password encrypted password '<your-password>';
grant all privileges on database <DB_NAME> to <USERNAME>;

Extra commands in psql

User privilege exploitation idea

This is something that came up when I was talking with @DCAU about making VM etc

If you remove a user, but leave their sudo privileges in place, can a user be created with that same name and exploit the sudo privileges?


sudo apt-get changelog apt !/bin/sh

#includedir /etc/sudoers.d test1 ALL=(ALL) NOPASSWD: /usr/bin/apt-get freddy ALL=(ALL) NOPASSWD: /usr/sbin/adduser,/usr/sbin/deluser

#includedir /etc/sudoers.d %helpdesk ALL=(ALL) NOPASSWD: /usr/bin/apt-get freddy ALL=(ALL) NOPASSWD: /usr/sbin/adduser,/usr/sbin/deluser

Add group helpdesk groupadd helpdesk

Create user and add to helpdesk group sudo adduser test2 sudo adduser test2 helpdesk

#includedir /etc/sudoers.d %helpdesk ALL=(ALL) NOPASSWD: /usr/bin/apt-get freddy ALL=(ALL) NOPASSWD: /usr/sbin/adduser,/usr/sbin/deluser

Problem with last version, is that user can add themselves to the helpdesk group and then log off and back on with sudo privs of helpdesk.

sudo adduser test2 sudo adduser test2 helpde

Making boot2root

Do's and Don'ts

These are the must do's and don'ts of making the boot2root machine.

Making boot2root

Running Services

In my experience it's better to use systemd rather then putting your head under this supervisor setup


command=flask run --port 1337

Then restart the supervisor service

sudo systemctl restart supervisor.service

And then you can check if the service is running by executing

supervisorctl status

You should see the new app.

Sometime we end up getting error like

unix:\\\var\run\supervisor.sock no such file


error: <class socket.sock>..........

So the fix that seemed to work for me was to run echo_supervisord_conf > /etc/supervisor/supervisord.conf

and then reread the config with

supervisorctl -c /etc/supervisord/supervisord.conf reread

and then we should see all the services running.

Systemd service file

In my experience it's better to just make a <name>.service file in /etc/systemd/system to setup a service rather than trying to mess with supervisor.


If you want something to do with shells or a service accesible via nc/telnet then it's better to setup a xinetd service.

game        1337/tcp        #this is a game

Here game is the name of the service and 1337 is the port on which it is running. Text after # is just a comment.

Other application with Systemd

This is just an example of flask application but in the similar manner you can run any other service as well. Ex: apache2

Basically make a file named whatevernameyouwant.service in /etc/systemd/system and write this:

Description=web application

ExecStart=/bin/bash -c "/usr/local/bin/flask run --host --port 80 "

Making boot2root


To setup fail2ban on ubuntu for the SSH port we do the following:



Hacking boot2root

Service Enumeration






whoami /all
whoami /priv