172.31.1.7
CyberSec Labs Shares Walkthrough.
As the name itself suggest, it has an nfs share open
Looks like /home/amir can be mounted to our machine
Using mount –t nfs 172.31.1.7:/home/amir /tmp/shares/ we mount the amir share to our machine’s /tmp/shares/ folder
Going to shares folder we find .ssh folder and id_rsa.bak file for user amir
Great so we can use ssh2john and then john to crack the passphrase for this id_rsa.bak
But in normal nmap scan we couldn’t find ssh port, maybe because it was running on higher port.
We can use nmap automator to scan all higher ports quickly
So ssh is running on port 27853 (sweet!)
ssh –I id_rsa –p 27853 amir@172.31.1.7 and we get a shell
Priv Esc
Running sudo –l we get user amy can run python3 as root so
Sudo –u amy /usr/bin/python3 –c “import pty;pty.spawn(‘/bin/bash’)”
And we are logged in as user amy
Again as user amy running sudo –l we come to know user amy can run ssh as root
Easy, ssh gtfobins as sudo and ur root 😛
Sudo /usr/bin/ssh –o ProxyCommans=’;bash 0<&2 1>&2’ x
Flags
Author
Sentinal920
Leave a Reply