Port enumeration

Using nmap, I found a ftp, ssh and http services open. da3d76824e26a3064fb44db1f8118158.png

FTP enumeration

FTP server have the anonymous user enabled. 3c6876a9c0963509146aa6d7c4eb95f5.png Here, I found a backup file 81c3f3a6edf860a21fdb43608990b067.png I upload the zip in my local machine, but, to unzip it, I need a password. effdeba80901e5fa6febd38db8b38feb.png

Hash cracking

Using zip2john, I extract the hash. c73cc87d9e42b5919587ee7311756df2.png Now, I use john to crash the hash. 75f421a134f007c21e71f337e3fe8b2b.png With this, I am able to unzip the backup file, where I found a md5 hash harcoded. 06eb08b7f699656bf1edecb3c08b4571.png Using john again, I am able to obtain the password. 0e615b259ed2b83fc216972474cfac0d.png

Web enumeration

The main page is a login formulary, where I can log using the credentials I obtained in the last step. 16a2b3d35004c676c81bf7fe397edf94.png Here, I found what looks like a car list. 6474d0c8d2e7c14840a8df9c7f9ab0ea.png

SQLI to RCE

This page is vulnerable to SQLI 8365f9e7d81d345b4c6d6b1250fa43b7.png Now, I use SQLmap to obtain a shell. dccbd0fc38082b04e992e4b55726255b.png 5dba2ea2cd030ccaea819d261ed86da5.png Using this shell I am able to read the user flag. c03b88bfd98c5d6905b97fb52504a96d.png

Privilege escalation

Reading the php files, I found another password harcoded. c4abd76b06cc2d9234f1e24eeab9106c.png With this password, I was able to found that the postgres user can use vi as sudo using sudo -l. 29643323e0cae89e0f1930d3290b89a2.png With this, I can execute a shell ass root. b0cc05fa90f70a11c1536a4831f8dd12.png 2556e2eaba85acf1817a7e6ad3ad6b25.png