An nmap scan shows ports 21, 22, and 80 open.
![](https://cyberitedu.com/wp-content/uploads/2023/12/image-34.png)
Getting into FTP with the anonymous login gave me some information that didn’t immediately help me.
![](https://cyberitedu.com/wp-content/uploads/2023/12/image-34.png)
I found a couple of extra directories on the webserver from fuzzing the site.
/files (Status: 301) /server-status (Status: 403)
Navigating out to the site with /files gives us something interesting. It’s the same information that we saw when we logged into FTP.
![](https://cyberitedu.com/wp-content/uploads/2023/12/image-36.png)
Looking back at ftp on port 21 I noticed that it allows anyone to send data to the ftp directory.
![](https://cyberitedu.com/wp-content/uploads/2023/12/image-35.png)
I sent a php reverse shell into the directory and then opened it through the web browser and found some info. The secret ingredient to the recipe is love.
![](https://cyberitedu.com/wp-content/uploads/2023/12/image-39-1024x412.png)
It took me a while and some digging, but I eventually found a pcap file called suspicious.pcapng in the incidents directory.
![](https://cyberitedu.com/wp-content/uploads/2023/12/image-43.png)
Inside the pcap file a password is shown which I used to login to the machine with the lennie user.
![](https://cyberitedu.com/wp-content/uploads/2023/12/image-42.png)
The user.txt file is located under the lennie user.
![](https://cyberitedu.com/wp-content/uploads/2023/12/image-40.png)
Inside scripts a planner.sh script references print.sh.
![](https://cyberitedu.com/wp-content/uploads/2023/12/image-37.png)
We can add a reverse shell into the print.sh script and use netcat to listen locally on our machine for the reverse shell.
![](https://cyberitedu.com/wp-content/uploads/2023/12/image-38-1024x140.png)
It worked! We are now root.
![](https://cyberitedu.com/wp-content/uploads/2023/12/image-41.png)