Joy Writeup
Joy is a beginner-to-intermediate level boot2root challenge hosted on VulnHub.
The machine exposes multiple misconfigured services across FTP, HTTP, SMB, SMTP, and SNMP, requiring thorough enumeration before proceeding to exploitation. The intended attack path involves abusing a known vulnerability in ProFTPD 1.3.5 via its mod_copy module, followed by a Linux privilege escalation through file permission misconfigurations.
Disclaimer: This writeup is intended solely for educational purposes. The target machine, Joy, is a deliberately vulnerable virtual machine available on VulnHub. All testing was conducted in an isolated, controlled lab environment. Do not attempt to replicate these techniques against any system without explicit written authorisation. Unauthorised access to computer systems is illegal and punishable by law.
Table of Contents
Host Discovery
The consultant performed host discovery on the local network segment using arp-scan to identify all live hosts and their associated MAC addresses. The target host was identified at 192.168.111.142.
1
2
3
4
5
6
7
8
9
10
11
12
──(kali㉿kali)-[~]
└─$ sudo arp-scan --localnet
[sudo] password for kali:
Interface: eth0, type: EN10MB, MAC: 00:0c:29:cb:fd:39, IPv4: 192.168.111.141
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.111.1 00:50:56:c0:00:08 (Unknown)
192.168.111.2 00:50:56:e4:78:d9 (Unknown)
192.168.111.142 00:0c:29:70:db:8a (Unknown)
192.168.111.254 00:50:56:fe:bb:80 (Unknown)
Initial Information Gathering
The consultant performed a comprehensive TCP service version detection scan against the target using Nmap with the -sCV flags to enumerate open ports and identify running services.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
┌──(kali㉿kali)-[~]
└─$ nmap -sCV 192.168.111.142
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-12 11:00 -0400
Nmap scan report for 192.168.111.142
Host is up (0.00018s latency).
Not shown: 988 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.2.10
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxr-x 2 ftp ftp 4096 Jan 6 2019 download
|_drwxrwxr-x 2 ftp ftp 4096 Jan 10 2019 upload
22/tcp open ssh Dropbear sshd 0.34 (protocol 2.0)
25/tcp open smtp Postfix smtpd
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after: 2028-12-20T14:29:24
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-title: Index of /
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2016-07-19 20:03 ossec/
|_
|_http-server-header: Apache/2.4.25 (Debian)
110/tcp open pop3 Dovecot pop3d
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: SASL STLS AUTH-RESP-CODE PIPELINING TOP CAPA UIDL RESP-CODES
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Not valid before: 2019-01-27T17:23:23
|_Not valid after: 2032-10-05T17:23:23
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: IMAP4rev1 have more post-login STARTTLS LITERAL+ Pre-login capabilities ENABLE OK SASL-IR LOGIN-REFERRALS ID LOGINDISABLEDA0001 IDLE listed
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Not valid before: 2019-01-27T17:23:23
|_Not valid after: 2032-10-05T17:23:23
445/tcp open netbios-ssn Samba smbd 4.5.12-Debian (workgroup: WORKGROUP)
465/tcp open smtp Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after: 2028-12-20T14:29:24
587/tcp open smtp Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=JOY
| Subject Alternative Name: DNS:JOY
| Not valid before: 2018-12-23T14:29:24
|_Not valid after: 2028-12-20T14:29:24
993/tcp open ssl/imap Dovecot imapd
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Not valid before: 2019-01-27T17:23:23
|_Not valid after: 2032-10-05T17:23:23
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3 Dovecot pop3d
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Not valid before: 2019-01-27T17:23:23
|_Not valid after: 2032-10-05T17:23:23
|_pop3-capabilities: SASL(PLAIN) AUTH-RESP-CODE USER PIPELINING TOP CAPA UIDL RESP-CODES
|_ssl-date: TLS randomness does not represent time
MAC Address: 00:0C:29:70:DB:8A (VMware)
Service Info: Hosts: The, JOY.localdomain, JOY; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: JOY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_clock-skew: mean: -2h39m59s, deviation: 4h37m07s, median: 0s
| smb2-time:
| date: 2026-03-12T15:00:15
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.5.12-Debian)
| Computer name: joy
| NetBIOS computer name: JOY\x00
| Domain name: \x00
| FQDN: joy
|_ System time: 2026-03-12T23:00:15+08:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.34 seconds
A total of twelve (12) open TCP ports were identified. Notably, the FTP service permits anonymous authentication, SMB message signing is disabled. all of which represent potential attack vectors for further investigation.
A separate UDP scan was also conducted to enumerate UDP-based services:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU 192.168.111.143
[sudo] password for kali:
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-12 11:35 -0400
Nmap scan report for 192.168.111.143
Host is up (0.0013s latency).
Not shown: 953 closed udp ports (port-unreach), 44 open|filtered udp ports (no-response)
PORT STATE SERVICE
123/udp open ntp
137/udp open netbios-ns
161/udp open snmp
MAC Address: 00:0C:29:70:DB:8A (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1032.12 seconds
Three open UDP ports were identified. The presence of SNMP on port 161 is particularly noteworthy, as it may disclose sensitive system information if the default community string is in use.
Service Enumeration
Port 21
The consultant authenticated to the FTP service using the built-in anonymous account (username: anonymous, no password required), which was confirmed as accessible by the Nmap scan.
Upon gaining access, the consultant discovered that the download directory contained the contents of the user - Patrick’s home directory, indicating that Patrick’s home folder had been mapped or symlinked into the publicly accessible FTP path - a significant misconfiguration.
Reviewing the directory listing and reading the accessible files revealed several pieces of valuable intelligence:
- A file named
version_controlwas present, likely containing information about installed software versions that could inform vulnerability research. - A
scriptdirectory owned byrootwith permissions set tod---------(no access for non-root users) was visible, suggesting the existence of a scheduled or privileged script execution process. - A file named
hahawas observed with world-writable and world-executable permissions (-rwxrwxrwx), owned by Patrick. This is a strong indicator of a potential privilege escalation vector if this file is executed in a privileged context. - Several
.txtfiles containing 24 bytes of data were present alongside numerous empty files - the non-empty files may contain tokens, flags, or encoded credentials. - The readable file contents included a list of animal names, common words, and system hints, which appear to constitute a potential password wordlist or set of clues for further enumeration. `
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
──(kali㉿kali)-[~/Joy]
└─$ cat *
Patrick's Directory
total 184
drwxr-xr-x 18 patrick patrick 4096 Mar 13 00:35 .
drwxr-xr-x 4 root root 4096 Jan 6 2019 ..
-rw-r--r-- 1 patrick patrick 24 Mar 13 00:00 1DfReGjYDe2UdS1sugt5OG60YtF6FuRT2LH2JFpoTMgzLHoHXPO4tMrUjt2Z9Kq5.txt
-rw-r--r-- 1 patrick patrick 24 Mar 13 00:20 1R4yhhBlhrzQHr1rIbsIgkKZ1nUMwpdQTZKneygyrNone3LReEhsk78wh2o8NvxT.txt
-rw-r--r-- 1 patrick patrick 0 Mar 13 00:30 4QHtn1qXssS2Kzw8M9HfXb5nnIdW8x7j.txt
-rw-r--r-- 1 patrick patrick 0 Mar 12 23:00 8tilafEPIkrsp3tmgRdpLOAfgGzBFiVh.txt
-rw-r--r-- 1 patrick patrick 24 Mar 12 23:45 9CS0hu3mQJ5WGN0qlUUHDFqOwaiTX7zpPzRBijMxVWURR9sMMbTfQIjR6hQtMy4w.txt
-rw------- 1 patrick patrick 185 Jan 28 2019 .bash_history
-rw-r--r-- 1 patrick patrick 220 Dec 23 2018 .bash_logout
-rw-r--r-- 1 patrick patrick 3526 Dec 23 2018 .bashrc
-rw-r--r-- 1 patrick patrick 0 Mar 12 23:50 biyGoCvNRV39mIGQeVQlhjbxxv8y6FcX.txt
drwx------ 7 patrick patrick 4096 Jan 10 2019 .cache
-rw-r--r-- 1 patrick patrick 0 Mar 13 00:10 CJ5YYFIDgInE48DOPBMx7ou9dGNt3CaL.txt
-rw-r--r-- 1 patrick patrick 0 Mar 13 00:15 coFKZu8qFDCjBoXxt8flVMX2DUbVAHMx.txt
-rw-r--r-- 1 patrick patrick 24 Mar 12 23:00 CoJB1RynC66YNqIPGWMlWCLsch5sZm2M1krOBuaf3WAVhan0X20BZGNCmeUNGtC8.txt
drwx------ 10 patrick patrick 4096 Dec 26 2018 .config
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Desktop
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Documents
drwxr-xr-x 3 patrick patrick 4096 Jan 6 2019 Downloads
-rw-r--r-- 1 patrick patrick 24 Mar 13 00:30 eEPl6D4zch6W6BlP26IGVrIn557xfWooQyjzWaI4gVW8ibfsNC9oJRUQnZUP3Z08.txt
-rw-r--r-- 1 patrick patrick 24 Mar 12 23:20 fjV8pgBbqDuAvYgdZSsEyIdJUKnUzSGditZTgv9W9apqTyEfgHZvz2Z00MxSTGBN.txt
-rw-r--r-- 1 patrick patrick 24 Mar 13 00:10 GNqWeX9egZlOo5upIHKXjcflKDXRFeP0eJXO2rMk1K8hZISPzUDOJbxIjjrgBNtz.txt
drwx------ 3 patrick patrick 4096 Dec 26 2018 .gnupg
-rw-r--r-- 1 patrick patrick 24 Mar 13 00:35 GqBIwl8uRZ3lY8h2n0VgJgDE6JOPX2UjLVUeHls7LSAtX9z8DfsB5KMdFsnueEUd.txt
-rwxrwxrwx 1 patrick patrick 0 Jan 9 2019 haha
-rw-r--r-- 1 patrick patrick 24 Mar 13 00:15 hWQxfmuUZ7DAdobwFAuOvIxL0Fd96p3J3CriGZQYLNZf3iwOmlEf7P0BKZ4IPXCS.txt
-rw------- 1 patrick patrick 8532 Jan 28 2019 .ICEauthority
-rw-r--r-- 1 patrick patrick 24 Mar 12 23:50 iDXNlwmiXRjE5aNvLJbMSBd9RMQHizwfQpr2bndcMC6Z8eb0kejVlgkZS18r0gPy.txt
-rw-r--r-- 1 patrick patrick 0 Mar 12 23:55 iEKuZ8chHeEazv8HcS5ix4XFTaFat1se.txt
-rw-r--r-- 1 patrick patrick 0 Mar 12 23:40 Jdg5YJJNEtpCjdirpGxdZCLWD1v00HvS.txt
drwxr-xr-x 3 patrick patrick 4096 Dec 26 2018 .local
-rw-r--r-- 1 patrick patrick 24 Mar 13 00:25 mG4c96p5HzzlASORw7FYc00rwtxLjFNIJnbAKuiGw7ozEk8qRL9hJMeCCByYDYAE.txt
drwx------ 5 patrick patrick 4096 Dec 28 2018 .mozilla
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Music
-rw-r--r-- 1 patrick patrick 0 Mar 13 00:05 n9MtOkqh6vh0GxTNmCQLB6INu2rrGuLL.txt
drwxr-xr-x 2 patrick patrick 4096 Jan 8 2019 .nano
-rw-r--r-- 1 patrick patrick 0 Mar 12 23:25 NPUwKTn4yUKVGfFfywOYbFk3EnanYI0s.txt
-rw-r--r-- 1 patrick patrick 0 Mar 12 23:05 NrQzqIO4NRYVK1ZOLH7kdiEjNCruF4JX.txt
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Pictures
-rw-r--r-- 1 patrick patrick 24 Mar 13 00:05 PlRk73PAG6Btns7O3OvYMrFzVywWNrwOCflRwFzogdI8BAkLGRUXtFUoH3POtJc9.txt
-rw-r--r-- 1 patrick patrick 675 Dec 23 2018 .profile
-rw-r--r-- 1 patrick patrick 0 Mar 13 00:20 psMEcXgvxtcW8IsHZNRGwz5iPkszj2Zb.txt
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Public
-rw-r--r-- 1 patrick patrick 24 Mar 12 23:55 PVBWKhc60zpBBDthCoZzEpbrfdHsZNm3hXBr9VDuoqIJcOVEvTzgzHpWlXBMw9gr.txt
-rw-r--r-- 1 patrick patrick 0 Mar 13 00:35 rmJQr9wv0aZLJj0DuAFEHj7g0mqaTZCw.txt
d--------- 2 root root 4096 Jan 9 2019 script
-rw-r--r-- 1 patrick patrick 24 Mar 12 23:10 snGySrXrjHLnhQK97wJxAGXjMWYNmDj9vIhtTZELu1tZla33eFd10uQHcELZ6SiU.txt
drwx------ 2 patrick patrick 4096 Dec 26 2018 .ssh
-rw-r--r-- 1 patrick patrick 0 Jan 6 2019 Sun
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Templates
-rw-r--r-- 1 patrick patrick 0 Mar 12 23:10 tFmMJDVCcPWHKMPZtERbSTSSm62RSND0.txt
-rw-r--r-- 1 patrick patrick 0 Mar 13 00:00 TulNtMEZ9IzZRtrfT4NsbbENqRJEa3hS.txt
-rw-r--r-- 1 patrick patrick 0 Jan 6 2019 .txt
-rw-r--r-- 1 patrick patrick 24 Mar 12 23:25 u0z5LVCVxyAcJp4Fw7uAITJel1ZrqqLr8NwMWuO9fZ0IMzq7RsD764eh3I2kD08t.txt
-rw-r--r-- 1 patrick patrick 0 Mar 12 23:20 utwmbLwBCEo7734ho3OtGNQnfjoNBobQ.txt
-rw-r--r-- 1 patrick patrick 0 Mar 12 23:15 V0ms2oMxGciyOERrVzC8CnJxL639J66v.txt
-rw-r--r-- 1 patrick patrick 0 Mar 12 23:35 Ve6PuwbbDMfbXh1dqt74CZcLWFBAMY9i.txt
-rw-r--r-- 1 patrick patrick 407 Jan 27 2019 version_control
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Videos
-rw-r--r-- 1 patrick patrick 24 Mar 12 23:35 vtrw50qxeRL5zSAHBhgfOnJyyDwmXl9jieKVkZ50GxMf4PRUJ15MOiiNMhLphBLA.txt
-rw-r--r-- 1 patrick patrick 0 Mar 13 00:25 VUkGSAGczCHyWbWoZbrelskCmwRWWKIP.txt
-rw-r--r-- 1 patrick patrick 24 Mar 12 23:40 W5nMvqamxG996jSjv6Jb7iyS8DmuMIYT32g5hjsehqMuLbH8vBbGGHstaD8hHyAW.txt
-rw-r--r-- 1 patrick patrick 0 Mar 12 23:30 wX8ta4KFNnlYQvUtMYsqzlhAcshuzmrV.txt
-rw-r--r-- 1 patrick patrick 24 Mar 12 23:05 XBRVfmgmSQQqCIq3NImTIiXizsb4FKx9KjN09gEpc7Hir0y6g3nUNTMAW2f12rPX.txt
-rw-r--r-- 1 patrick patrick 24 Mar 12 23:15 xfy9hQ0DG0JJK22lf4oWcLuGI0brgrnvlrHU9q54dvCzk32Hf32HaIOozxid2l2G.txt
-rw-r--r-- 1 patrick patrick 24 Mar 12 23:30 yoE4mjWBI4gM4TtktRBEEgQQXWaO7M9ooFNLLxYqA48fdCrw9IX3jyK1oCf5BGWy.txt
-rw-r--r-- 1 patrick patrick 0 Mar 12 23:45 zH82yN0mmUzBq8F6KsIiKD7qgy0LLFex.txt
You should know where the directory can be accessed.
Information of this Machine!
Linux JOY 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux
This is a brave project!
What happens when you have no idea what you are doing? Bang your head against the wall.
colour
airline
skilled footballer!
Perhaps the head of development is secretly a sicko...
either a dog name, or the name of a lottery in singapore
ONE!
wine app
you only live once!
dog
cat
ant
bird
fish
hare
snake
mouse
eagle
rabbit
jaguar
python
penguin
peacock
phoenix
kangaroo
parakeet
mosquito
mousedeer
woodlouse
cockroach
kingfisher
rhinoceros
pondskater
Lock down this machine!
The system information embedded in the files confirmed the target is running Linux kernel 4.9.0-8-amd64 on Debian, providing useful context for identifying kernel-level vulnerabilities if required.
Port 80
The HTTP service on port 80 presented an Apache directory listing at the web root, exposing an ossec/ directory. Directory listing being enabled allows any visitor to browse the server’s file structure without authentication, representing an information disclosure risk.
Port 445
The SMB service on port 445 was enumerated. As noted during the Nmap scan, SMB message signing was found to be disabled, which makes the service susceptible to relay-based attacks. The consultant proceeded to enumerate accessible shares and gather further configuration details.
Port 161
The SNMP service on UDP port 161 was queried using the default community string public. The service responded successfully, potentially disclosing details about running processes, network interfaces, installed software, and user accounts.
The consultant find that there is open port running which is 36969 and the service is tftp.
Port 36969
An additional service was identified running on the non-standard port 36969. The consultant interacted with this service to assess its functionality and determine whether it could be leveraged as an additional attack vector.
The consultant grab the version_control from patrick directory.
Exploitation
ProFTPD 1.3.5
The FTP service was confirmed to be running ProFTPD version 1.3.5, which is known to be affected by a critical vulnerability in the mod_copy.
The Consultant changed the Sitepath that the Consultant see’s from SNMP and also in TFTP.
Post-Exploitation
Permission Misconfiguration
The consultant found that there is an information inside the file of patricsecretsofjoy which is the credential of the user and the root.
The consultant try to login with the user root unfortunately its not working but the user patrick is working.
The consultant enumerate the sudo permission and there is a file from /home/patrick/script/test that the consultant can abuse.
Basically the file function is it can change the permission of any file, The consultant tried to change the permission of /etc/passwd and /etc/shadow that he can abuse.
The consultant tried to crack it with unshadow technique by combining the shadow and passwd on the same file.
The reference for that technique you can find it at below of the image.
It take too long to crack, So the consultant find a way to abuse the /etc/passwd.
The reference for that technique is this from the reddit.
Adding the hash of the password to /etc/passwd and adding a user which is user3, and login as user3 to see the results.
