Before reading this writeup, just know that I will not point out each question and its answer, this is to encourage you to thoroughly read through this writeup and understand what was done, as well as to encourage you to replicate these steps on your own.

‍

Nmap

‍

After scanning with Nmap, we discover 4 open ports:-

• 21 - FTP
• 80 - HTTP
• 10000 - Webmin
• 55007 - SSH

‍

‍

Notice that ssh is not running on port 22, so if you do not scan the machine correctly, you might miss this key point.

‍

In addition to this, Nmap (and the machine's page) indicates that anonymous FTP login is allowed.

‍

‍

Getting the user flag

‍

After logging in via FTP, we find a text file with jumbled characters.

‍

To save you time, they are meaningless, although it would be a good chance to practice using CyberChef.

‍

‍

Moving on to the website itself, it turns out to be just a default Apache2 page.

‍

‍

So.. we'll start enumerating the website using ffuf.

‍

‍

As you can see, the site uses Joomla CMS, which can be accessed at "/joomla".

‍

Unfortunately tho, nothing is of interest to us here.

‍

‍

So, as the machine's author suggests, and as a good tip you should keep in mind when pentesting: whenever you hit a roadblock, keep enumerating.

‍

Next, I tried to enumerate "http://<MACHINE-IP>/joomla" using dirb.

‍

As you can see, most of the directories discovered do not stand out as interesting.. except for "/_test".

‍

‍

After visiting "/_test", I saw that "sar2html" is mentioned, and after googling what it was, the first indexed result was an RCE exploit.

‍

Here's an excerpt:

# Exploit Title: sar2html Remote Code Execution
# Date: 01/08/2019
# Exploit Author: Furkan KAYAPINAR
# Vendor Homepage:https://github.com/cemtan/sar2html
# Software Link: https://sourceforge.net/projects/sar2html/
# Version: 3.2.1
# Tested on: Centos 7

In web application you will see index.php?plot url extension.

http://<ipaddr>/index.php?plot=;<command-here> will execute
the command you entered. After command injection press "select # host" then your command's
output will appear bottom side of the scroll screen.

‍

As you can see, we can pass a command in the "plot" parameter that shows up after clicking "New" on the webpage.

‍

‍

And just like that, we have RCE, now we can check the contents of "log.txt".

‍

‍

The file is apparently an SSH log, and we get the credentials for the user "basterd".

‍

And after logging in via ssh, we discover a file called "backup.sh" which contains the credentials for another user "stoner".

‍

‍

After switching users, we find the first flag in "/home/stoner" as expected.

‍

‍

Getting the root flag

‍

Ok, now we move on to privilege escalation.

‍

Checking what we can run with sudo, we find nothing.

‍

However, using find to check which files have the SUID bit set, we find... find.

‍

‍

Now if you've thought of finding a privesc technique from GTFOBins, you'd be absolutely right.

‍

‍

After escalating to root, we can find the root flag in "/root".

‍