Look for writable scripts in /etc/crontab that are executed by root.
The core "trick" of this machine involves how the system handles this specific zip file.
Scanning the web server (Port 80) usually reveals a directory like /backups/ where this same zip file might be hosted or referenced. 2. Exploiting FUNHXX17.zip FUNHXX17.zip
Most write-ups note that FTP allows Anonymous login . Inside the FTP directory, you will find FUNHXX17.zip among other files.
Depending on the version of the VM you are running, it may be vulnerable to recent Linux kernel exploits. Look for writable scripts in /etc/crontab that are
Create a symlink to a sensitive file (like /root/root.txt or /etc/shadow ) or a directory. Compress the symlink using the --symlinks flag in zip . Upload it back to the server.
Because the unzipping process often runs with high privileges (or as a user with write access to the webroot), you can create a malicious zip file containing a symbolic link . Depending on the version of the VM you
If you used a symlink, you can now read the linked file through the web server.
(888) 520-8291
