Nmap Challenge 2
Looks like we are going to play with NFS shares today.
Target IP: 192.168.6.2
We know that flag is in /var/flag.txt.
Here is what we get from default nmap scan.
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
2049/tcp open nfs
We have 3 nmap scripts for nfs:
- nfs-ls.nse
- nfs-showmount.nse
- nfs-statfs.nse.
There is how I used the showmount script:
nmap -sV --script=nfs-showmount 192.168.6.2
The lines that we are interested in are:
| nfs-showmount:
| /home/jack 192.168.6.1/24
|_ /var/nfs/private 192.168.6.178
I tried to do the nmap ls script, and I found that it can read only the jack's folder, but it looks like there's nothing actually interesting.
If we want to delete the folder that we just mounted in our local machine we can use the umount command.
umount /the/folder
If we try to mount the jack folder we can find there .ssh with empty authorized_keys file.
Let's create the directory and mount the jack's folder.
mkdir -p /home/jack
mount 192.168.6.2:/home/jack /home/jack
If we mount something and then go there and for example create a file it is going to be created on the server, as well. It depends on our permissions.
Here are our permissions for this case:
access: Read Lookup Modify Extend Delete NoExecute
Now we can generate a new ssh key pair and then put our public key in the jack's authorized keys.
We go to the root directory again.
ssh-keygen -t rsa -b 4096
Then copy contents of the .ssh/id_rsa.pub
and now we can simply put it in the /home/jack/.ssh/authorized_keys.
Make sure you have deleted all the \n characters from the text.
Now let's go ahead and try to ssh to jack.
And here we go.
Now we can go to the var directory and get the flag.