Outdated

nmap

mkdir nmap
sudo rustscan -a 172.31.1.22 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan

Enumeration

FTP on port 21 and NFSat port 2049 is open.

Let's see if there's anything we can mount on NFS

As you can see, we are allowed to mount /var/nfsbackups

Let's mount that endpoint

Upon mounting, we saw three folders but looks like they're empty.

Exploitation

If we will go back to the nmap scan, you will notice that the FTP is running ProFTPD 1.3.5 and if you a quick search using searchsploit, it has a file copy vulnerability

It means we can use this exploit and chain them with the NFS we have mounted. We can access almost anything we want by copying the file to the mounting point. First, let's connect to the FTP server using nc . I'll copy /etc/passwd to the mounting point since we can read the file from there.

Looks like we have successfully copied the passwd file, and now we can access it.

Also, we can see daniel is the non-root user. We can copy daniel's ssh key to the mounting point. And if there's any private key, we can use it to log in via SSH.

Let's try to use daniel's private SSH key to log in.

We have successfully logged in as daniel. Sweet :D

Post Exploitation

First, let's transfer linpeas.sh

You can find the machine IP address by executing the following.

Then transfer the script using wget

And now we can run linpeas.sh

Right out of the bat, you will notice the kernel version is 3.13.0-32-generic

I found out this kernel version is vulnerable and can lead us to privilege escalation. And we can compile the exploit since gcc is installed on the target machine.

Privilege Escalation

First, mirror the exploit to our local machine and transfer it to the target machine.

Compile the exploit, and enjoy your root privilege :D

PreviousUnrootNextFuel

Last updated

Was this helpful?