The nmap output shows that http is running on port 80 and ftp service is running on port 22. Also, anonymous login is enabled on the ftp port.
Screenshot of the site:
When I logged into the ftp port as Anonymous, I got an error while running the command. I solved the error with the "epsv" command.
ftp> epsy
It is a command used to fix FTP connection and enable data transfer.
Let's download the "locks.txt, task.txt" files after entering as Anonymous and look at their contents.
There is a password list in the Locks.txt file.
We also see the name lin in the task.txt file.
When we bruteforce with ssh, we find the correct password in the list.
hydra -l lin -P locks.txt [IP_ADDRESS] ssh -t 4
Now that the login is successful, we can get our first flag.
The sudo -l command is used to display which commands a user can run with superuser (root) privileges on the system, or which commands they are not authorized to execute.
Here we see that we can run the /bin/tar command as "lin". There is a command that exploits this vulnerability on the gtfobins site.
It uses /dev/null files to attempt to execute the /bin/sh (Bourne Again Shell) shell when certain conditions are met with the --checkpoint and --checkpoint-action options.
The --checkpoint option is used to track how long tar runs or how much data it processes, while --checkpoint-action is used to execute a specified command when a specific event occurs.
