start to scan to discover ports and services is running
then we wanna to know more info for this services
nmap -sV -sC -A -O Ip_add
we found port 21 has Anonymous login so let’s try to discover it
Anonymous login
we found 3 files in folder call scripts after we download these files we discover her content for each file
this file used to automated a scheduled task
so we edit the content of clean.sh to code take a reverse shell on this machine
clean.sh
then we listen this port on attacker machine and we upload this file by ftp server
then let’s fix this shell to make it more flexible
we start to discover files on this machine but nothing
we try to search for SUID files
SUID files
we use env to take a root shell on this machine
env
python3 -c 'import pty; pty.spawn("/bin/bash")' export TERM=xterm **Ctrl+Z** stty raw -echo;fg
