The Server From Hell
Walkthrough for The Server from Hell
nmap scan the IP we have -
111 (rpcbind), 1137 (probably telnet/trim?), 2049 (nfs), 3333(ssh)
We can futher enumrate rpc and nfs -
showmount -e IP
we can mount this folder using - sudo mount -t nfs IP:/home/nfs /tmp/1
It conatins a backup.zip file we can copy it, while unzipping it we see it is password protected,
(the room owner may have hide the password in some other process, but i cracked it online)
After cracking the zip we see flag.txt and id_rsa
we can ssh into hades' shell using - ssh -i id_rsa hades@IP -p 3333
after sshing we got some kind of shell (not bash or sh), after searching for irb we get it's a ruby shell
we can run system commands by- system("command-here"), we can also spawn bash using -
exec "/bin/bash" and can see the user flag -
We can see we don't have write permissions, so we can't upload scripts to check for attack vector
We have to manually check for ways to privilege escalation -
1) we don't have password for hades so we can't use commands containing sudo (eg. sudo -l)
2) we can list files with SUID by - find / -type f -perm /4000 2>>/dev/null
(we got a very big list but we don't have a lead)
3) we can check for capabilities - getcap / -r 2>>/dev/null we got tar -
Thanks for reading !










nice
ReplyDelete