Hi all, let’s pwn it! :)
You can find the machine there > Panabee
Let’s start always with nmap.
port 445 (SMB) seems interesting, let’s enumerate it.
SMB(server message block) is a protocol for sharing files.
First of all we have to list the shares, i always like to use the
smbclient utility a client to access SMB shares.
note share seems interesting, let’s connect to it using null session (without a password or sending a blank password):
note.txt provide us some useful info:
Shell as goper
Let’s do FTP brute force using username
Perfect. Let’s connect to FTP & we can create a
backup.sh file with a reverse shell in.
Let’s upload it.
We have shell:
goper -> jenny
Now privesc to user
jenny is really easy, let’s check
We can run as
jenny this python file. We can simple rename the
status2.py and create our own
status.py with our payload in.
jenny -> root
Great! Now privesc to root is easy too. If we check the command history we can see lot of
Really weird, this seems like session sharing. We have to simply run this command but first we have find the
We have root shell:
Let’s read the flag: