Vulnhub Nully Cybersecurity: 1 -- First Flag Only

First, let me start off by saying that this only takes you through the first flag because the next flag takes you off the CTF box and onto the Internet.  Call me a prude but I'm not attacking a public facing IP address.  I wish they would have done this with Docker or some other container technology because it could have been self contained. 

That being said, the first part was a lot of fun.  I'll take you through to the pivot and then you can decide whether or not to move forward.

First, per the instructions on Vulnhub, we create the wordlist:


We kick off with Nmap:


We visit the open web port:



We login to the mail server:



We add the username "bob" to the users.txt file and we brute with rockyou:



After a bit:



We get the password:  bobby1985

We ssh into the box:



Checking sudo -l :



We see that we have the ability to run check.sh as the user my2user.

We view the script:



Removing all of the echoes to boil it down:



We edit the file in our home directory adding a whoami :



We copy the file back to it's original location and we execute it as my2user.  That does what we think and we modify the script swapping whoami for FTP:



The script executes, we're in an FTP session as my2user and we shell out into the command line:



We run sudo -l :



We can run zip as root with no password.  Using gtfobins, we find the syntax to elevate: 



And.... we're root.  Getting the root flag:



When running netstat, we see that we're connecting to the address:  91.189.88.142



Using Bob's credentials, we setup a port forward in the background that takes our local port 8888, pivots through our victim over SSH, and connects to port 80 on our second target:



On our attacking machine, when we view port 8888 on localhost, we see the following:



And that's where I leave it.  Your choice but for me, it seems like a grey area that I don't need to venture into.  Definitely a fun box though -- wish it was self-contained for the entire puzzle.