CyberSecLabs-Shares

This is my second write up and I will be discussing my experience with the machine “Shares” from CyberSecLabs. CyberSecLabs is a great platform, for people who are starting out with penetration testing. Shares was a pretty easy Linux box. An open port allows us to mount a NFS and grab the users ssh key, cracking it, and elevating our privileges with some GTFObins.

Step 1: Enumeration

I like to slay ports with two different Nmap scans. My first scan uses default scripts -sC and version detection -sV. The second scan takes quite a while and uses -A which Detects OS and Services, -O which does Remote OS detection using TCP/IP, -p- which scans all 65535 ports. The second scan was super essential for this box because it picked up an important port that we will need later on.

First Scan:

nmap -sC -sV 172.31.1.19

Second Scan:

sudo nmap -O -A -p- 172.31.1.19

First scan output

Second scan output

I like to start from the top down when testing the ports/services. I started with port 21 googled vsftpd 3.0.3 for exploits, also tried anonymous login and no luck.. Next, we have port 80 I opened Firefox and visited http://172.31.1.7. Cool, we have a functioning webpage I ran some dirbuster to see what directories were available and no cigar. Port 111 had nothing interesting. Last but not least we have port 2049 hmmm… a network file system lets try the showmount command.

sudo showmount -e 172.31.1.7

We get amir’s directory listed now lets mount this beast into our /mnt directory. You can mount this thing pretty much anywhere but I stuck with the known directory.

sudo mount -t nfs 172.31.1.7:/home/amir /mnt

Now we are off to see the damn wizard… in my kali box I went to my /mnt directory did a good old ls -al and saw that I mounted amir’s drive.

I don't know about you guys but that .ssh directory looked tasty! Did a cat on the id_rsa file because that is the private key. I like to run John the ripper on any private key I capture to see if I can find any credentials. First, we need to convert this key file in a readable format for Johnny boy using ssh2john and then crack it with a wordlist.

sudo ./ssh2john.py amirkey.txt
sudo /usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt amirjohnssh.txt

Now that ladies and gentleman is the type of password we should always use. I know its a lab but you would be surprised on how often passwords like this are used in the real world…Kind of scary.

Now we need to ssh into Mr. Amir’s account with the original private key we grabbed and enter the password discovered. But first…change the permissions on the private key file with chmod 600. Oh and remember that second Nmap scan I mentioned? Yeah its not using a default port for ssh which is usually 22 its using 27853.

sudo chmod 600 amirkey.txt
sudo ssh -i amirkey.txt amir@172.31.1.7 -p 27853

Landing in Amir’s account had me fire off sudo -l which allows us to see what this young man can run as root or another user. Now will ya look at that.. it looks like we have an Amy in the building and we can run commands as her. I started off with the /usr/bin/python3 and googled the GTFObin for it.

sudo -u amy /usr/bin/python3

A python shell opens up and I entered the following GTFObin command I found for python:

import os; os.system("/bin/sh")

This breaks us out into a shell with Amy and from here I do another sudo -l and we can see that we can run ssh as root…Yes, that means another GTFObins but this time for ssh.

sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x