Walkthrough on exploiting a Linux machine. Enumerate Samba for shares, manipulate a vulnerable version of proftpd and escalate your privileges with path variable manipulation.
Scan the machine with nmap, how many ports are open?
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <IP>
Using the nmap command above, how many shares have been found?
Once you’re connected, list the files on the share. What is the file can you see?
You can recursively download the SMB share too. Submit the username and password as nothing.
What port is FTP running on?
cat the newly downloaded log.txt file to find the FTP port number.
What mount can we see?
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount <IP>
Lets get the version of ProFtpd. Use netcat to connect to the machine on the FTP port.
What is the version?
How many exploits are there for the ProFTPd running?
Copy Kenobi’s private key using SITE CPFR and SITE CPTO commands.
Mount the /var/tmp directory to our machine
Copy the rsa file to your directory and chmod the file.
SSH into the kenobi server.
What is Kenobi’s user flag (/home/kenobi/user.txt)?
What file looks particularly out of the ordinary?
Run the following commands.
Run the binary, how many options appear?
What is the root flag (/root/root.txt)?
Leave a Reply