Let’s check for open ports and running services using nmap
We have 4 ports open;
Exploring the allowed anonymous login via FTP doesn’t really give us much. The only other interesting ports are the two smb ports.
Exploitation and Privilege Escalation
Searching around, we’ll see that
Samba smbd 3.0.20 has a
username map script command execution vulnerability. Let’s use that on Metasploit.
Let’s stabilize our connection by spawning a python interactive shell
Since we’re already a root user, finding both the user and root flag is just a matter of directly reading the files.