Shares is a relatively easy machine, it has an NFS file share which gives us access to an RSA key. Using it we can gain the initial foothold on the box. The privilege escalation is achieved using the Sudo privileges of the users.
The IP address of the box is 172.31.1.7. First, connect to the VPN and ping the box to check the connectivity.
Scanning and Enumeration:
Nmap scan report for 172.31.1.7
Host is up (0.24s latency).
Not shown: 51733 closed ports, 13793 filtered ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
111/tcp open rpcbind
2049/tcp open nfs
27853/tcp open unknown
34205/tcp open unknown
50455/tcp open unknown
50461/tcp open unknown
60969/tcp open unknown
# Nmap scanned in 205.62 seconds
The initial scans show a handful of open ports. Ftp is open but the password is required for login, a web server on port 80 (Nothing interesting), rpcbind on port 111, and an NFS file share on port 2049.
Nmap scan report for 172.31.1.7
Host is up (0.35s latency).
PORT STATE SERVICE VERSION
27853/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| 2048 97:93:e4:7f:41:79:9c:bd:3d:d8:90:c3:93:d5:53:9f (RSA)
| 256 11:66:e9:84:32:85:7b:c7:88:f3:19:97:74:1e:6c:29 (ECDSA)
|_ 256 cc:66:1e:1a:91:31:56:56:7c:e5:d3:46:5d:68:2a:b7 (ED25519)
34205/tcp open nlockmgr 1–4 (RPC #100021)
50455/tcp open mountd 1–3 (RPC #100005)
50461/tcp open mountd 1–3 (RPC #100005)
60969/tcp open mountd 1–3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
# Nmap scanned in 24.36 seconds
Enumerating the service version further we can see that SSH is open on port 27843 which is very interesting.
— — — — — — — — — — — — —
First, have a look at the NFS file shares. We can see that the home directory of amir is accessible by any IP address.
Mounting the share, we found an RSA key in .ssh folder. Let’s copy it to our working directory and try logging in.
“chmod 700 id_rsa” — chmod to give the necessary file permissions to the RSA key.
On logging in via SSH we can see that it requires a Passphrase. Let’s try cracking the RSA key with john.
After converting the key into a hash using ssh2john, we crack it using the wordlist rockyou.txt.
As we can see the cracked password is “hello6”. Let’s try SSH into the machine.
Voila!! We are in.
Looking at the Sudo privileges we find that we can run python3 as the user amy without a password. The first thing that we do when we find binaries with Sudo, is we go on GTFOBins .
Looking up python3 and we can find a Sudo option
sudo python -c 'import os; os.system("/bin/sh")'
This python command will spawn a /bin/sh shell for us. We can tweak it just a bit, by adding /bin/bash and now it will spawn a bash shell. We’re ready to go now, run the command and specify the user as amy.
And BAM! we spawn a shell as amy.
— — — — — — — — — — — — — —
Similarly, with the Sudo privileges of amy, we see that she can run ssh as the root user.
Going back to the GTFOBins, there’s a sudo option for ssh.
sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
Running this command will spawn shell as the root user, just like before let’s tweak it by adding a bash shell in place of sh and we can spawn a nice root@shares prompt.
Leave a ‘COMMENT’ if you want to discuss butter chicken!
Make sure to click on that ‘CLAP’ if you like this article and ‘FOLLOW’ me for more such write-ups!