Nmap scan:
SMTP is open, which is rather suspicious. I connected via nc and tested some default credentials, and found that root:root worked.
nc
root:root
Now that we are logged in, we can read some emails:
With this, we can SSH in as mindy.
mindy
When in the user's directory, we find a restricted shell where we cannot execute a lot:
I researched a bit on how to escape this shell, and found that appending -t "bash --noprofile" works:
-t "bash --noprofile"
We can run pspy32 on this machine to view processes:
pspy32
I found that we have write access over this file, so we can just append a reverse shell to it:
After waiting for a bit, we would catch a reverse shell:
