Overview

The machine starts by discovering WingFTP portal that's vulnerable to improper neutralization of null bytes in the username parameter of the login interface that leads to lua RCE With foothold at the system we can get our hands on another user's hash and by cracking it we get in Finding that we can run binary as sudo, this binary is vulnerable to Zip Slip attack that leads to EoP to root

Enumeration

as usual start with nmap scanning

jimmex@attacker ➜ nmap -sC -sV -vv -oA results 10.129.17.81
...