Difficulty: Easy
Tested: VMware Workstation 15.x Pro (This works better with VMware rather than VirtualBox)
Goal: Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root).
Okay then, let’s go.
nmap
All we’ve got is FTP and HTTP on port 80; nothing else. Nothing on the top 1000 UDP ports. FTP is VSFTPD 3.0.3 which is not vulnerable; same with Apache 2.4.38.
FTP
Anonymous login is not allowed. Fuzzing for subdomains turns up nothing, and gobusting turns up nothing either, even with the larger wordlists. We did get a picture of a Chili from the front page of the webserver, but the usual stego attacks get nothing (stegcracker, checking LSBs, exiftool, binwalk etc).
This box is supposed to be easy - what does that leave? Bruteforcing FTP.
Okay, so we’re in.
After some enumeration on the box turns up nothing useful, it’s time to try putting a shell on the server and executing it. We can put with FTP, but only in one particular web directory: /var/www/html/.nano/.
We can load the shell just fine (pentest monkey, as usual), but initially it won’t fire. Why not? We need to chmod it.
Once that’s done, we can catch our shell and we’re on the box.
Privesc
Linpeas to the rescue; /etc/passwd is writeable. Same as sunset/twilight: