Penetration testing

Billu: B0x - Walkthrough

Chiragh Dewan
May 10, 2017 by
Chiragh Dewan

Billu B0x is a relatively new machine that came on VulnHub. Created by Manish Kishan Tanwar, it surfaced on April 21st, 2017. It can be downloaded from,188/

The objective is to break into the machine via a web application running on it and escalate user privileges.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Downloaded and fired up, it presents with a login screen with no other information at all apart from telling us it is an Ubuntu Machine, which we already know:

So, heading back to our attacking machine, Kali 2017.1, I run a simple command:

$ netdiscover

Now that we know the IP address of our target machine, let's start by scanning it:

For this case, I am using Zenmap, a GUI version of Nmap. The scan shows us that there are two ports open:

  • Port 22 - Used for SSH
  • Port 80 - Used to serve a web application

Let's head to its port 80 and see what's the web application we are dealing with:

So, it looks like a custom page which is asking for a username and password. Looking at the source code of the page, I came across a really interesting line:

After trying the known combination of SQL Injection used to bypass login, all the attempts made were unsuccessful. Let's head over to dirbuster and see what it has to offer:

So, the first interesting link I come across is /in.php. When opened, it gives us this:

Let's keep it for now. This can come handy in future. The next link I come across is /test.php

When opened, this is what it says:

From the looks of it, it is safe to say that file is a variable sent via POST request and it may be vulnerable to LFI. Let's give that a shot:

I will be sending the POST request by using a simple cURL command:

$ curl -X POST --data "file=/etc/passwd"

It is vulnerable to LFI!

Now that things are heating up let's take it up a notch. Since we know that index.php asks for username and password and a POST request is being made, it is safe to say that the rest of the PHP code would be in the same file. Since we just established that we have an LFI vulnerability, let's see if we can exploit that to read the code of index.php.

For this, again, a cURL request would be sent:

$ curl -X --data "file=index.php"

We can see that a file called c.php is being included in the code. Let's hope it gives us what we are hoping for:

$ curl -X --data "file=c.php"

And there you go, we have the credentials for the MySQL. Now the question arises, how to access it?

Heading back to dirbuster, I see that it has found another link /phpmy. After opening it, it takes us to PHPMyAdmin. Using the credentials:

  • Username: billu
  • Password: b0x_billu

We are able to log into PHPMyAdmin:

and using the credentials we found here, we can log into the web application as well:

However, we are nowhere close to getting into the server. All this time looking into the web application made me realize that it will not be the worst idea to try and call

Going back to our terminal, let's hit another cURL request:

$ curl -X POST --data "file=/var/www/phpmy/"

Finally, we have something concrete. Now using the credentials:

  • Username: root
  • Password: roottoor

We can now log into the server via SSH:

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Alrighty then, we are in as root.

Chiragh Dewan
Chiragh Dewan

A creative problem-solving full-stack web developer with expertise in Information Security Audit, Web Application Audit, Vulnerability Assessment, Penetration Testing/ Ethical Hacking as well as previous experience in Artificial Intelligence, Machine Learning, and Natural Language Processing. He has also been recognised by various companies such as Facebook, Google, Microsoft, PayPal, Netflix, Blackberry, etc for reporting various security vulnerabilities. He has also given various talks on Artificial Intelligence and Cyber Security including at an TEDx event.