I have scanned with nmap command and I try different thing.
Enumeration
Rustscan is a very useful tool for scanning all ports. The tool is very fast and can scan all ports within 1 second. I will use it for the entire enumeration process.
I scanned 79 port with finger-user-enum.pl. You can download the file. sammy and sunny may be login to ssh.
Initial foothold
I tried SSH brute force with Hydra, but it took a lot of time, so I decided to use the port number as the password
When I run sudo -l command. I see that can run file without permission.
As I understand, when I run the file I see the output that file run id command.
By the way There is a other user except root and sunny. It is sammy user. I looked bash_history and backup directory is significant.
I found two hashes under the backup directory.
Prilivige Escalation
“I tried to crack the hash of sammy using the john command.
I login ssh with user sammy and when I run sudo -l command, I can use wget command with root permission.
I changed troll file with using wget command and I run troll command with sunny user.
I create http server on my local machine to send the troll file to target machine.
