Bounty Hacker

Anon FTP - Password Cracking - TAR Binary Exploitation

Initial Enumeration

  • Only three ports were open - 21, 22, 80

  • Deep enumeration on port 80, din't give anything useful

  • Nmap script scan told us - FTP anonymous access is allowed, logging onto that gave us two sensitive files

  • One of which had a list of potential passwords, and in the other file we found a potential username called lin

  • Since port 22 was open, bruteforced the password using hydra - Got a shell !

Privilege Escalation

  • Basic enumeration on the user's file system gave us nothing

  • Tried to check sudo lists using sudo -l, gave the current user's password and surprisingly told us /usr/bin/tar - was running as a sudo user

  • Immediately used gtfobins to abuse tar

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

PreviousWordpress: CVE-2021-29447NextSimple CTF

Last updated