In the scan output, we see that the Anonymous ftp login is open and http is running on port 80.

 

Before logging into FTP, let's look at HomePage.

 

 

There is nothing useful in the source code either.

 

Let's start the dirb scan.

 

 

Let's log in to FTP while the dirb scan is in progress.

 

 

ftp directory is empty. let’s get other files.

 

 

I extracted the important.jpg but I couldn't see anything in the files.

 

Meanwhile dirb scan is done.

 

 

When we go to the files page in the browser, we see the same files in FTP.

 

If we look at the file permissions, we can see that we can write files to the ftp file. Then let's insert web-shell.php.

 

 

 

 

login success. shell:

 

 

pyton3 -c ‘import pty; pty.spawn(“/bin/bash”)’

This command is used to connect to a shell within an operating system or terminal.

 

export TERM=xterm

This command sets the terminal emulator type to xterm. xterm is a common standard for many terminal emulators.

 

^Z

pauses the currently running process and places it in the background as a background job.

 

stty raw -echo; fg

The stty raw -echo command sets the terminal input to raw mode and disables echo.

 

Later, the fg command brings the paused job to the foreground

 

 

While browsing through the files a bit, we find the recipe.txt file. When we print recipe.txt with Cat, we get the answer to the first question.

 

 

We don't have permission to access the Lennie folder.

 

We see a suspicious pcap in the incidents file. We can copy the pcap file to the ftp file and open it directly from the browser.

 

 

We can see in the pcap file that someone previously got a shell on this machine.

 

 

As you see in the picture below.

 

 

lets export packet dissections.

 

 

open the file and find something useful.

 

 

Frame45 looks remarkable

 

When we view Frame 45 as a TCP stream, we can see Lennie's password.

 

 

Now we can login as lennie

 

 

And we got first flag.

 

 

We dont have permissions for running sudo.

 

LinPeas

 

 

Actually we have already saw scripts folder when we login.

 

 

 

We see that we cannot modify the planner.sh file without root privilege and that the planner.sh file calls the /etc/print.sh script.

 

also we know we can edit print.sh

 

It is normal to get stuck at this stage because we cannot see this script in crontab. But if we examine the files for a while, we will see that the startup_list.txt file has been updated.

 

that means planner.sh script is running by root

 

 

We can put PentestMonkey’s reverse Shell script in to the print.sh

 

and listen to the 8081 port.

 

 

İf we wait for a while..