💰Bounty Hacker
You talked a big game about being the most elite hacker in the solar system. Prove it and claim your right to the status of Elite Bounty Hacker!
Enumeration
I first ran a Nmap service scan to detect open services.
This returned port 21(ftp), 22(ssh), 80(http). The good thing about running -sC
(default scripts) is that it identified anonymous FTP login. So, we can connect via FTP.
One of the files available to us is locks.txt
, which contains a list of what looks to be passwords.
Exploitation
On the webserver, we're given a list of members of the 'Red Dragon Syndicate'.
We can use this list of users with the list of passwords to see if we can crack into SSH.
We were able to get access to lin
!
Privilege Escalation
Taking a look at
will list what lin
can run as sudo.
GTFOBins has some nifty tar
commands which can help escalate privileges.
This command will allow us to execute /bin/sh
as sudo, and thus give us a shell as root
!
Last updated