Hi everyone
Today we are going to look for a Box called Banzai which is rated as Intermediate in terms of difficulty. This machine has various phases: Recon, Enumeration, Exploitation and Privilege Escalation.
Box Type: Linux
Recon & Enumeration
Enumeration plays a very significant role in pen testing. The more properly you enumerate the more it will be easy to get a foothold on the target.
First, we will check whether target is reachable or not with ping command:
ping Target_IP
With ping command output we found that the target is reachable.
Now let’s move ahead and run the port scan for which we will be using Nmap a popular tool for port scanning and it will provide details of the various ports which are in Open state. The command for that will be:
nmap -sC -sV -O -oA nmap/initial 192.168.136.56
nmap -sC -sV -O -p- -oA nmap/full 192.168.136.56 -T4
Now let’s also execute the full scan and UDP Scan:
I discovered these ports are open:
- 21/tcp – FTP Service running VSFTPD 3.0.3
- 22/tcp – SSH Service running OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
- 25/tcp – SMTP Service running Postfix smtpd
- 5432/tcp – PostgreSQL Service running PostgreSQL DB 9.6.4 – 9.6.6 / 9.6.13 – 9.6.19
- 8080/tcp – HTTP Service running Apache httpd 2.4.25
- 8295/tcp – HTTP Service running Apache httpd 2.4.25 (Debian)
- OS: Linux (Debian)
Let’s move ahead and check the anonymous ftp running:
Exploitation
Used a php reverse shell from this link
Privilege Escalation
I cam across one good article about Privilege Escalation with MySQL User Defined Functions: link
Key Takeaways
- Enumerate exposed services — FTP, SMTP, DB, and web may reveal entry points.
- Try weak credentials — default logins can provide quick access.
- Upload a webshell via FTP — gain initial foothold on the server.
- Check web configs — may expose database credentials.
- Abuse database features — execute system commands from DB access.
- Use UDF for privilege escalation — load malicious library to get root.
If you enjoyed this post, share it with your friends and colleagues!