Anonymous
I had to run an nmap scan to find out what what is going on in the server. I got the following output:
There are 4 ports open here, so I will have to find a way to get in using these ports. If you notice next to ftp it states "[NSE: writeable]". This means that we can add a file to the ftp folder. I was assuming that we would add a php-reverse-shell to the file and then use that in order to get a way inside. I did come to realize that there was no way for me to execute the php code. I then had to look at a write-up in order to get my foothold into the machine. Before I get too a head of myself, I will let you know where I am currently at for the machine. I noticed that there are files in the ftp directory called "scripts":
I downloaded all of these files to my own computer using the "mget *" command. I then used the same write-up as previously to find out my next step. My next step was to overwrite the clean.sh file, and then fill it in with a reverse bash tcp connection. This can be found at this github. After this is done, we can then then push it to the ftp using the mput command. Something such as "mput clean.sh", and this will overwrite the current file on the machine. On another tab, on my machine, I ran netcat. I ran the command "nc -lvp 1234" where I am listening on my machine on the port 1234.
I then found user.txt:
I then needed a way to find a way to get to root. In order to do this, I ran the command:
This allows us to us to see what commands we are able to run with our current user. I am not sure why I ran the following command, but it seems to be the only way to get to root. I do not understand why it works. Even after doing a bit of research about it, I still seem to be lost as to why it works. The command was:
This got me to root, and I got the root.txt.
Last updated