- From enumeration SMB servers can be found
- SMB enumeration
- Look at the log files on the web server for clues
- Exploit a cronjob to gain access
- Use linpeas to find for interesting flies
- Privilege access can be gained from exploiting binaries
Run nmap scan to find for open ports.
Run a gobuster scan to find for hidden directories.
Unable to gain access to the log files besides management.log
The management logs shows us some kind of cron job with two particular files.
Let’s enumerate SMB
The SMB shares are empty but we are able to put files in them. Let’s create the same files found on the management log and put a bash shell in them.
Place the file in the smb share and start nc.
User access gained.
Checking sudo permisions we are able to run sudo.
However using by just switching to root user we get a warning message.
Let’s check linpeas for more clues.
Fro GTFOBins we can get shell.
Root access is gained and final flag is found.