First thing I did was run a netdiscover scan to find the IP.
From there I ran Sparta.py for some recon…I saw that anonymous FTP was enabled so I gave it a try.I found one PCAP file that I opened in Wireshark.I followed the TCP stream of ftp-data and found the contents of a text file that were talking about a directory.I assumed it was talking about port 80’s HTTP server.
My theory was confirmed.I downloaded the file and found it was a executable.When I ran it it told me to find a address.I was kinda confused when I opened the file in edb and found that there was no such address.
I was thinking…what other kind of address could there be? Oh,I know a URL? It took me a while but I was correct.Both of directories contained text files.
I tried to bruteforce SSH with “Good_job_:)” as a password, but after some trial and error I finally did it but with “Pass.txt” as the password.I SSH’d to the box and found something very interesting…The kernel was vulnerable to privesc.
I fired up a Python HTTP server and used the exploit.It worked perfectly.Since I got root I read the proof.txt and finished this VM.This VM was really fun.It was different and I must say it really got me stuck sometimes but that’s the point of it not? I also hope you enjoyed.