A. http://www.hackingarticles.in/hack-the-lin-security-vm-boot-to-root/ [login with the user/pwd provided at the vulnhub page to perform priv escalation, unable to get shell, rpcinfo, showmount, rpcbind, nfs ]
Nmap scan report for 192.168.117.5
Host is up (0.00051s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
111/tcp open rpcbind 2-4 (RPC #100000)
2049/tcp open nfs_acl 3 (RPC #100227)
MAC Address: 08:00:27:D8:9F:D6 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
00000000000000000000000000000000
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jul 17 21:48:59 2018 -- 1 IP address (1 host up) scanned in 7.99 seconds
Nmap scan report for 192.168.117.5
Host is up (0.00051s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
111/tcp open rpcbind 2-4 (RPC #100000)
2049/tcp open nfs_acl 3 (RPC #100227)
34203/tcp open nlockmgr 1-4 (RPC #100021)
39865/tcp open mountd 1-3 (RPC #100005)
50125/tcp open mountd 1-3 (RPC #100005)
57253/tcp open mountd 1-3 (RPC #100005)
UDP open sunrpc[ 111] from 192.168.117.5 ttl 64
UDP open shilp[ 2049] from 192.168.117.5 ttl 64
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
00000000000000000000000000000000
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jul 17 21:48:59 2018 -- 1 IP address (1 host up) scanned in 7.99 seconds
00000000000000000000000000000000
root@kali:~/reports/192.168.117.5# showmount -e 192.168.117.5
root@kali:~/reports/192.168.117.5# showmount -e 192.168.117.5
Export list for 192.168.117.5:
/home/peter *
root@kali:~/reports/192.168.117.5#
00000000000000000000000000000000
root@kali:~# rpcinfo -p 192.168.117.5
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100005 1 udp 42010 mountd
100005 1 tcp 57253 mountd
100005 2 udp 34061 mountd
100005 2 tcp 39865 mountd
100005 3 udp 34234 mountd
100005 3 tcp 50125 mountd
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 3 tcp 2049
100003 3 udp 2049 nfs
100227 3 udp 2049
100021 1 udp 37189 nlockmgr
100021 3 udp 37189 nlockmgr
100021 4 udp 37189 nlockmgr
100021 1 tcp 34203 nlockmgr
100021 3 tcp 34203 nlockmgr
100021 4 tcp 34203 nlockmgr
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100005 1 udp 42010 mountd
100005 1 tcp 57253 mountd
100005 2 udp 34061 mountd
100005 2 tcp 39865 mountd
100005 3 udp 34234 mountd
100005 3 tcp 50125 mountd
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 3 tcp 2049
100003 3 udp 2049 nfs
100227 3 udp 2049
100021 1 udp 37189 nlockmgr
100021 3 udp 37189 nlockmgr
100021 4 udp 37189 nlockmgr
100021 1 tcp 34203 nlockmgr
100021 3 tcp 34203 nlockmgr
100021 4 tcp 34203 nlockmgr
00000000000000000000000000000000
root@kali:~/reports/192.168.117.5# ls /mnt
root@kali:~/reports/192.168.117.5# mkdir /mnt/peter
root@kali:~/reports/192.168.117.5# mount 192.168.117.5:/home/peter /mnt/peter
root@kali:~/reports/192.168.117.5# ls /mnt/peter
root@kali:~/reports/192.168.117.5# ls -la /mnt/peter
total 32
drwxr-xr-x 5 1001 1005 4096 Jul 10 14:49 .
drwxr-xr-x 3 root root 4096 Jul 17 23:29 ..
-rw-r--r-- 1 1001 1005 220 Jul 9 14:53 .bash_logout
-rw-r--r-- 1 1001 1005 3771 Jul 9 14:53 .bashrc
drwx------ 2 1001 1005 4096 Jul 10 05:04 .cache
-rw-rw-r-- 1 1001 1005 0 Jul 10 05:04 .cloud-locale-test.skip
drwx------ 3 1001 1005 4096 Jul 10 05:04 .gnupg
drwxrwxr-x 3 1001 1005 4096 Jul 10 03:03 .local
-rw-r--r-- 1 1001 1005 807 Jul 9 14:53 .profile
00000000000000000000000000000000
created a user called peter on kali, id was already 1001, changed the group to 1005 (or default). I was able to see content of these dir but no valuable information. Added .ssh/authorized_files root public keys but still couldnt login from kali using keys. Getting following. unable to pass this step
can login using walkthru A
root@kali:~/reports/192.168.117.5# mkdir /mnt/peter
root@kali:~/reports/192.168.117.5# mount 192.168.117.5:/home/peter /mnt/peter
root@kali:~/reports/192.168.117.5# ls /mnt/peter
root@kali:~/reports/192.168.117.5# ls -la /mnt/peter
total 32
drwxr-xr-x 5 1001 1005 4096 Jul 10 14:49 .
drwxr-xr-x 3 root root 4096 Jul 17 23:29 ..
-rw-r--r-- 1 1001 1005 220 Jul 9 14:53 .bash_logout
-rw-r--r-- 1 1001 1005 3771 Jul 9 14:53 .bashrc
drwx------ 2 1001 1005 4096 Jul 10 05:04 .cache
-rw-rw-r-- 1 1001 1005 0 Jul 10 05:04 .cloud-locale-test.skip
drwx------ 3 1001 1005 4096 Jul 10 05:04 .gnupg
drwxrwxr-x 3 1001 1005 4096 Jul 10 03:03 .local
-rw-r--r-- 1 1001 1005 807 Jul 9 14:53 .profile
created a user called peter on kali, id was already 1001, changed the group to 1005 (or default). I was able to see content of these dir but no valuable information. Added .ssh/authorized_files root public keys but still couldnt login from kali using keys. Getting following. unable to pass this step
can login using walkthru A
Comments
Post a Comment