Friendly3
Description
Friendly3 is a beginner machine created by RiJaba1
Friendly3
Walk through
Enumeration
Port Enumeration
Basic PORT enumeration with NMAP
Note: in my case $TARGET is 192.168.1.69
The reported ports are
Service Enumeration
Now lets enumerate the services running on each port with
Output
Port 80
Open the web reported we can see a semi void web, but trying to get the biggest amount of info from our fonts, we can get a name juan
Port 21
The FTP service don't have anonymous user based on the Service Enumeration Lets try with a Brute Force Attack to get the credentials of the possible user juan In this case I go to use Hydra but exist more Tools to do this. Take a look here for more info. Yeah, we has luck, the password for the user juan is alexis
Exploitation
Use the credentials to FTP
Nothing seems interesting, every file is empty or with junk info
User flag
We can try to reuse the credentials in the other open service, SSH juan for user alexis for password
It works Type ls and you go to see the user flag
Post-Explotation
Privilege Escalation
Juan do't have sudo permissions to do sudo -l Let's do the basics I go to try to explore the current process with PSPY Download in your ATTACKER machine the binary from here Download in your Attacker machine the Pspy64 from here After download your Pspy open a http server to transfer your file
If you don't know how to do that follow this instructions
Use curl to request the file from the TARGET machine in the Path /tmp
Then add execution permissions and execute it
Root flag
References
https://null-byte.wonderhowto.com/how-to/brute-force-ftp-credentials-get-server-access-0208763/
https://github.com/DominicBreuker/pspy
https://github.com/CesarGBkR/HackingBasics/tree/main/Writeups/TCM/PEH
Last updated