Name: KB-VULN: 1
Release Date: 29 Aug 2020
Difficulty Stated: Medium
Difficulty I found: Beginner to Intermediate
OS used: KaliLinux 2020.2
Things you can learn from this VM: Enumeration, FTP anonymous login, SSH dictionary attack, Privilege Escalation via message of the day, Reverse shell
First step is always going to be NMAP. We found 21, 22 and 80 opened. FTP had anonymous login enabled.
Logged in as anonymous user for FTP service and downloaded the bash history file which contained following data.
Ran gobuster, nikto but didn’t find anything fruitful. So, looked at the source of webpage and found username “sysadmin“
Used Medusa to run a dictionary attack for SSH and found valid password = password1.
Logged in and read the user flag.
During enumeration we found that message of the day can be read/write by anyone. So, added python reverse shell to the file “/etc/update.motd.d/00-header“
Next, logged out of the machine and again logged in and we got a root user reverse shell; read the root flag.