This was a straightforward box that is a great beginner challenge. We skip the privilege escalation by using an exploit that gives us a root shell (because the command was run by root).
The classic nmap -sT -sV -A -v <ip> shows us the open ports: 21, 22, 139, 445. Upon inspection the FTP server is vulnerable to an RCE, but has been patched by the server.
Getting User & Root:
Getting the server's OS version tells us it's running "Samba 3.0.20-debian", which is vulnerable to a code execution attack. Use either Metasploit's exploit or a custom one [Custom exploit], to get a reverse shell. The shell given is root, meaning we get both user flag (/home/makis/user.txt) and root flag (/root/root.txt) all in one shot!
Last edit: 2021.08.24