Friendly

Description

Friendly is a beginner machine created by RiJaba1

Friendly

Walk through

Enumeration

Port Enumeration

Basic PORT enumeration with NMAP

nmap -Pn -n -p- --min-rate 5000 --open $TARGET

Note: in my case $TARGET is 192.168.1.81

The reported ports are

PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http

Now lets enumerate the services running on each port with

nmap -sCV -p $PORTS --min-rate 5000 $TARGET

        ```

Output
```Bash
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--   1 root     root        10725 Feb 23  2023 index.html
80/tcp open  http    Apache httpd 2.4.54 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.54 (Debian)

Port 21

We can se a anonymous profile enable Let's connect it with anonymous credentials anonymous as the user and a blank password

ftp anonymous@$TARGET

List the files with ls Just exist the index file on the current directory, I try to change the directory but nothing happens Download the index.html an take a look inside After read the file just look like a normal index default file

Exploitation

Lets try putting inside the TARGET machine a malicious file such a PHP Reverse Shell You can create your own Reverse Shell here

Select PHP PentestMonkey Put your ATTACKER IP in the IP field and your listener PORT I go to use 1234

Copy the code in some php file and open a ftp to TARGET using anonymous user again Using put command you can transfer files from ATTACKER to TARGET for more info about ftp commands visit this site

If you list the files again you can see your php file

Try to execute it from the web page Don't forget open your listener before

If everything goes good you should have a shell on your listener

User flag

Navigate to /home/RiJaba1/ and you can see the user flag there typing ls and then with cat the file

Post-Explotation

Privilege Escalation

Start with the basics Use sudo -l to list the executable sudo bins

Here we can see a sudo permissions to vim without password Vim have the ability of execute shell commands, if we execute vim with sudo and then execute commands from Vim, this commands will be execute with sudo permissions more info about it here

Let's exploit it

Open Vim with sudo typing

sudo vim

When you open your Vim you go to see something like this

Here type :! /bin/bash to get a shell

And Done, confirm your privileges with whoami

Root flag

Search the root flag in all directorys

find / -name root.txt 2>/dev/null

And There are

CONGRATULATIONS

References

https://www.revshells.com/

https://phoenixnap.com/kb/linux-ftp

https://www.rockyourcode.com/til-how-to-execute-an-external-command-in-vim-and-reload-the-file/