OffSec PG - FunBoxRookie


Machine IP →

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt

OS Detection → OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
21FTPProFTPD 1.3.5e
22SSHOpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80HTTPApache httpd 2.4.29 ((Ubuntu))

Web Scan

GoBuster scan → gobuster dir -u -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

Directories/files listed →

  • index.html
  • robots.txt

Robots txt file contains entry of /logs/. However, this is not reachable.


The ftp actually allows anonymous login despite the nmap service scan not listing it. Looking at the contents, there are a bunch of zip files with different user names. Cracking these files with fcrackzip against the rockyou.txt list of passwords, the following zip files were successfully cracked →

  • - catwoman
  • - catwoman
  • - iubire

Unzipping all these with the respective passwords give an id_rsa file for ssh login. All the files are the same, therefore there is only 1 user. Therefore, trying all usernames, the one that works and grants a shell is the user tom.

This gives the user flag. Navigation and other actions seem limited, therefore, checked shell and this revealed shell as /bin/rbash. This is a restricted shell. Used python to spawn a bash instance to escape this.

Privilege Escalation

Looking at the user directory, there is a mysql history file. The key entry here is that of → insert\040into\040support\040(tom,\040xx11yy22!);. This indicates additions of the user tom into the table support.

Checking to see if this is the password for the user tom by using sudo -l, it indeed works out and shows that tom can perform all operations under sudo without a password. Therefore, using sudo su to get root shell, the root flag can be retrieved.

This post is licensed under CC BY 4.0 by the author.