Reconnaissance

I used nmap to see what ports/services were showing as up and running.

Immediately I noticed ftp is open and anonymous login is enabled. With anonymous login enabled, it means that anyone can log into this FTP server. As an aside, SSH and netbios was also open. I tried the VSFTPD backdoor by doing it manually but it wasn’t exploitable so I turned to SAMBA.

Enumeration

First thing I did was run a samba scanner on Metasploit to figure out the exact version this server was running in order to find an exploit.

The scanner revealed Unix Samba 3.0.20-Debian. So I found an exploit for a shell and exploited the box.

Exploitation

This gave me a reverse shell to which I was ‘root.’

Post-Exploitation

From here I needed to find the flag for both root and user. I instantiated a TTY shell so I could be fully interactive. From here I perused around and found the root flag.

After I found the user ‘makis’ from the /etc/passwd file. I did a cd to his home directory and found the user flag as well.

Results Analysis

The exploit for this was pretty straight-forward. It seems as though the anonymous FTP was a decoy to send you down a rabbit hole. Still in the security context, there’s a lot on that which can be secured. Other than that, the exploit I used gave me root access and the box was owned at that point. It just was a matter of finding the flags.