Table of contents

  1. Dockerlabs - Psycho
  2. Psycho
  3. ✌️ Introduction
  4. 🔎 Initial Scan
  5. 📝 Fuzzing
  6. 🔑 Privilege Escalation
  7. 🏁 Conclusion
Dockerlabs - Psycho Dockerlabs - Psycho

Dockerlabs - Psycho

6/4/2026 / 5 minutes to read / Tags: Dockerlabs, Fuzzing, LFI, Binaries, Hijacking

Psycho

✌️ Introduction

We’ll solve the Psycho machine from Dockerlabs, which will allow us to achieve the following learning objectives:

•Use fuzzing on a website to find vulnerabilities.

•Exploit the LFI vulnerability to view files on the server.

•Escalate privileges using binaries.

•Use hijacking to execute malicious code.

🔎 Initial Scan

First, we’ll deploy the machine with Docker and obtain the target machine’s IP address.

Deploy Machine

We’ll use Nmap to scan open ports and gather information about them.

Initial Scan

The scan results show two open ports: port 22 (SSH) and port 80 (HTTP).

We’ll first focus on the HTTP port, to check whether there are any vulnerabilities on the website.

HTTP

📝 Fuzzing

We conducted a web fuzzing attack to gather more information, and the results revealed one directory that we reviewed.

Fuzzing attack

In the directory, we find a image file with a black background.

Fuzzing attack

Fuzzing attack

So an attempt is made to perform a path traversal to try and access the contents of the passwd file.

Fuzzing attack

Fuzzing attack

Fuzzing attack

We identified two potential users, vaxei and luisillo, but after attempting a brute-force attack, no results were obtained. So, we tried to access their directories and found an id_rsa file containing their SSH private key in the vaxei directory.

Fuzzing attack

We save the password in a new file so we can try to access the vaxei account via SSH.

Fuzzing attack

🔑 Privilege Escalation

Once logged in as the user vaxei, we check the sudo permissions and see that the user luisillo can run “/usr/bin/perl”, so we use this to move horizontally.

Escalation

Now, as luisillo, we have sudo permissions as root on “/usr/bin/python3 /opt/paw.py”, so we will check that file. We can’t modify it, but we can see it’s calling some libraries we could hijack.

We’ll create a file called subprocess.py, since Python will search for the library on the current directory before searching on “/usr/lib/python3”.

Finally, after executing “sudo /usr/bin/python3 /opt/paw.py”, we have managed to escalate privileges and verify that we are the root user.

Root user

🏁 Conclusion

By exploiting weak configurations, we gained access to sensitive information through SSH, Web Fuzzing and Hijacking. We used the VIM binary to escalate privileges and ultimately gained root access. This demonstrates the importance of proper service and permission management.

← Back to Write Ups