Squashed
https://app.hackthebox.com/machines/514
Difficulty: EASY
Recon
Nmap
Web Page
I start with port 80, nothing too much interesting. You can try to use feroxbuster, gobuster, dirsearch whatever tool you like.
NFS TCP - 2049
Starting to exploit the port 2049 using the following:
This will export you what folders are been shared, if you don't about NFS, is like the SMB of Linux. The NFS protocol has no mechanism for authentication or authorization. We can try to see what is inside of these folders without credentials.
You can use a program called nfsshell to enumerate more quickly.
Downloaded and do a make to compile the program. You can play with it but I will do it manually to explain better what am doing ; ). Now the folder that is juicy here to gain access to the machine is the /var/www/html folder. The /home/ross is juicy too, but we are not going to used.
Ok, here we have that we don't have permission to get into the remote folder. Why this happend? Well, if we see the permissions in the folder is in the group www-data so I will need a user with the same group(uid=33) to get in and see what we have. Follow the next steps.
Create a user, assign the group and get a shell as the user
Exploitation
So, we get into /var/www/html folder remotely. Let's try to make a file with malicious code and see if we can get a shell.
Let's see if we see it on the web.
Great! Now we upload a webshell to get access. Listen with netcat to get the shell.
Now get the reverse shell using the following command:
We have gained access as user alex in the system.
Privesc
Remember that we have the /home/ross folder too. Well, let's try to enumerate what's inside. I will use nfsshell to vary.
Here i get an interesting file called .Xauthority.
What is .Xauthority?
The .Xauthority file can be found in each user's home directory. It is used to store credentials in cookies used by xauth for authentication of XServer. When an XServer instance (Xorg) is started, the cookie is used to authenticate connections to that specific display.
Knowing that you can research information about it in hacktrickz:
To exploit it I do a check with the command "w" to see what active sessions I get. The user ross haves an active session and we have the .Xauthority token to do things with his display. So upload the .Xauthority file to the machine and pass the file with a PATH variable to xdpyinfo.
We can do the same using xwininfo:
Now we do the following command to take a screenshot from the ross display.
Now open a Python Server on the machine and export the screenshot. Use convert command to convert the image from xwd and png.
Use this credential to authenticate with ssh and get root access.
Rooted !! : }
Last updated