/usr/bin/envis SUID. Using a privesc payload on GTFOBins, we get a root shell easily.
anonymousand empty password. Download all files:
clean.shis world-writable on the FTP server. The idea is to create a malicious
clean.shfile containing a Bash reverse shell payload and upload it to the FTP server:
removed_files.log, we deduce that there exists a cronjob on the victim machine that executes
clean.shautomatically in every time interval. All we need to do here is start a pwncat listener and wait for a reverse shell connection. At a while, we have a user shell as "namelessone":
envprivesc payloads on GTFOBins: