Context

Walkthrough on exploiting a Linux machine. Enumerate Samba for shares, manipulate a vulnerable version of proftpd and escalate your privileges with path variable manipulation.

Starting hypothesis

This room will cover accessing a Samba share, manipulating a vulnerable version of proftpd to gain initial access and escalate your privileges to root via an SUID binary.

Method / Used Tools

Nmap - Port enumeration

The first step of the enumeration phase was to identify the exposed services on the target machine using Nmap. A service/version scan was performed with the -sV option in order to detect both open ports and the versions of the services running behind them.

nmap-sV10.114.172.165

During the scan, two warnings appeared indicating that the system could not read /etc/resolv.conf. This prevented reverse DNS resolution, but it did not impact the port scanning itself. The scan successfully identified the host as online with very low latency.

Out of the 1000 most common TCP ports scanned, 993 were closed, leaving a small number of exposed services that could potentially represent an attack surface.

The scan revealed several important open ports:

• 21/tcp — FTP service running ProFTPD 1.3.5
• 22/tcp — SSH service running OpenSSH 8.2p1
• 80/tcp — Web server using Apache 2.4.41
• 111/tcp — RPCBind service (RPC program mapping)
• 139/tcp and 445/tcp — Samba SMB file sharing services
• 2049/tcp — NFS (Network File System) access control service

This set of services indicates that the machine exposes multiple network services commonly found in Linux environments, including file sharing protocols and remote access services.

From an attacker’s perspective, several services immediately stand out as promising enumeration targets: