# Anonymous Machine start to scan to discover ports and services is running ![Screenshot 2025-04-10 143942.png](https://3641998078-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv4bbPCMP2UOAXGuYloqD%2Fuploads%2FlC9rLHJsnvlsPEwiLcch%2FScreenshot_2025%2004%2010_143942.png?alt=media) then we wanna to know more info for this services ```bash nmap -sV -sC -A -O Ip_add ``` ![Screenshot 2025-04-10 143959.png](https://3641998078-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv4bbPCMP2UOAXGuYloqD%2Fuploads%2FactHO4EV8ZMZm9hugQg6%2FScreenshot_2025%2004%2010_143959.png?alt=media) we found port 21 has `Anonymous login` so let’s try to discover it ![Screenshot 2025-04-10 144057.png](https://3641998078-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv4bbPCMP2UOAXGuYloqD%2Fuploads%2FY4ASMrZAOPY6OX3pBKGn%2FScreenshot_2025%2004%2010_144057.png?alt=media) we found 3 files in folder call scripts after we download these files we discover her content for each file ![Screenshot 2025-04-10 144138.png](https://3641998078-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv4bbPCMP2UOAXGuYloqD%2Fuploads%2FksRaDd6vvPkz9DpYCh8i%2FScreenshot_2025%2004%2010_144138.png?alt=media) > this file used to automated a scheduled task ![Screenshot 2025-04-10 144151.png](https://3641998078-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv4bbPCMP2UOAXGuYloqD%2Fuploads%2Fwc1mjewxQjUn3ZREE8RC%2FScreenshot_2025%2004%2010_144151.png?alt=media) so we edit the content of `clean.sh` to code take a reverse shell on this machine ![Screenshot 2025-04-10 144214.png](https://3641998078-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv4bbPCMP2UOAXGuYloqD%2Fuploads%2FuFIWSCL8LnzKYkQj6fhR%2FScreenshot_2025%2004%2010_144214.png?alt=media) > then we listen this port on attacker machine and we upload this file by ftp server ![Screenshot 2025-04-10 144230.png](https://3641998078-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv4bbPCMP2UOAXGuYloqD%2Fuploads%2Fxg9sfq5LCLfmiHcFMonN%2FScreenshot_2025%2004%2010_144230.png?alt=media) then let’s fix this shell to make it more flexible ![Screenshot 2025-04-10 144307.png](https://3641998078-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv4bbPCMP2UOAXGuYloqD%2Fuploads%2Fs9zeBIBPefhZJYtsILvc%2FScreenshot_2025%2004%2010_144307.png?alt=media) ```bash python3 -c 'import pty; pty.spawn("/bin/bash")' export TERM=xterm **Ctrl+Z** stty raw -echo;fg ``` we start to discover files on this machine but nothing ![Screenshot 2025-04-10 144317.png](https://3641998078-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv4bbPCMP2UOAXGuYloqD%2Fuploads%2FzVa5Lui2FnAGhitkPpB6%2FScreenshot_2025%2004%2010_144317.png?alt=media) we try to search for `SUID files` ![Screenshot 2025-04-10 144334.png](https://3641998078-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv4bbPCMP2UOAXGuYloqD%2Fuploads%2Fci0tL7IHyPU2PtCJJEEC%2FScreenshot_2025%2004%2010_144334.png?alt=media) we use `env` to take a root shell on this machine ![Screenshot 2025-04-10 144349.png](https://3641998078-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv4bbPCMP2UOAXGuYloqD%2Fuploads%2Flh1HUkTn5A8Y8YWdjekG%2FScreenshot_2025%2004%2010_144349.png?alt=media) ![Screenshot 2025-04-10 144407.png](https://3641998078-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv4bbPCMP2UOAXGuYloqD%2Fuploads%2FyU5scS3WDJzwySxV5ys6%2FScreenshot_2025%2004%2010_144407.png?alt=media)