Before i begin, this machine is defiantly a troll
Let’s scan the host with nmap and see what information related to it’s open ports
Nmap –A –T4 –p- 192.168.1.5 –vv
dirb came with /secret
I cat , strings and exiftool both the pictures but came with nothing .
Next let’s try to connect to FTP service as nmap says it’s anonymous login
After logging in a listed the files and found a lol.pcap file and retrieved it
Viewing the file with tcpick -C -yP –r lol.pcap found a path sup3rs3cr3tdirlol
Visiting the path gave us a new file to download roflmao its executable file , it strings it and found some information inside it but what we need from it is another path 0x0856BF
Inside the directory is two folders inside each is text file one is the passwords and another with a username
Downloaded the two file Pass.txt and which_one_lol.tx and used Hydra
Username is overflow worked with the password (Pass.txt), BUT trying to login was so hard and not easy, as the host keeps blocking the login and sometimes crashing and weird things happening while logging in
Lets find out what the host kernel and version is and exploit that
Ok now we have this information lets search for exploit using searchsploit on our machine
Now lets copy the file to the host machine using SimpleHttpServer on out machine and using wget on the host machine to copy the file into the tmp folder
Now compile the file with any name and run it
As you can see we got root shell and changed directory to /root and there is a file with the name proof.txt, view it and that’s it.
