Squashed

Personal Rating: hard

The privilege escalation was something I did not consider before, so I had to take a peek in the writeup to get a hint on what to do

Enumeration:

sudo nmap -p- -sV <IP>

22		OpenSSH 8.2p1 4ubuntu0.5
80		apache 2.4.41
111		rpcbind 2-4
2049	        nfs_acl 3

NFS Share UID Abuse

I got access to an nfs share:

sudo nmap --script="*nfs* and not brute" <IP>
showmount <IP>
sudo mount -t nfs <IP>:/home/ross

There was a KeePass database file in ~/Documents of ross' home, but I could not crack it

NFS does not check the user IDs, so you can list the user ID of the webroot user, create a user with the same UID on the local system and place a reverse shell there

ls -ld /mnt/webroot -> shows UID 2017

# Create user with that uid and switch to it
# Place a php shell in the webroot folder

This got me a shell as the user alex

LinPEAS shew me CVE-2021-3560, but I could not make an exploit work.

In ross' home there was the .XAuthority file, which caches the cookie for a screen session. Exploiting or even finding this was new to me up until I did this box.

X Session Hijack

You could imitate the user ross over the nfs share the same way as you did with the webuser alex. Then you could copy the cookie file with this command:

cat .XAuthority | base64 > /tmp/authfile

Then you could go onto the box with alex again and highjack the session with this command:

cat /tmp/authfile | base64 -d > /home/alex/.XAuthority && export XAUTHORITY=/home/alex/.XAuthority

With “w” you could then see, that you have access to ross' screen session. You can create a screenshot then

xwd -root -screen -silent -display :0 > /tmp/screen.xwd

You could then start a python http server in tmp, copy the file over to your host and have a look at it. Then you could see, that the user had keepass open where you could see the root password.

PreviousShoppyNextTrick

Last updated