IP_ADDR = 10.10.205.163
nmap scan here
Looking at the nmap scan there were 2 smb servers, tried getting into them but couldn’t nount.
There was a ftp set up at port 21 which had anonyomous login enabled. So, got into the ftp server. There were 3 files which is located in files. The clean.sh had a script, and the log file indicated that the
echo "Running cleanup script: nothing to delete" >> /var/ftp/scripts/removed_files.log;
used to run. So, added a bash reverse shell with it. Got a reverse shell back with user namelessone. Got the user.txt file from the home directory.
Downloaded linpeas.sh and run it but got nothing.
Spawned a stable reverse shell from python using:
import pty;pty.spawn('/bin/bash');
Used sudo -l to get the files that could be run as sudo. But didn’t have the password of the user namelessone so couldn’t have a look into it. Used find / -type f -perm /4000 2>/dev/null to get the SUID Binary that could be run as sudo and found /usr/bin/env and used it to spawn a bash shell using /usr/bin/env /bin/bash -p: -p to preserver privileges. Got the root access.