Funhxx17.zip

Look for writable scripts in /etc/crontab that are executed by root.

The core "trick" of this machine involves how the system handles this specific zip file. FUNHXX17.zip

Most write-ups note that FTP allows Anonymous login . Inside the FTP directory, you will find FUNHXX17.zip among other files. Look for writable scripts in /etc/crontab that are

Because the unzipping process often runs with high privileges (or as a user with write access to the webroot), you can create a malicious zip file containing a symbolic link . Inside the FTP directory, you will find FUNHXX17

After gaining a shell as a low-privileged user (often www-data or tom ): Check for binaries that can be run as root.

If the zip contained a , you simply navigate to the location where the script was extracted to trigger a connection back to your listener ( nc -lvnp 4444 ). 4. Privilege Escalation

Create a symlink to a sensitive file (like /root/root.txt or /etc/shadow ) or a directory. Compress the symlink using the --symlinks flag in zip . Upload it back to the server.