1. Network discovery

My target is

2. Port scan

NOTE: The IP address in the snapshot is my old VM, However, the scan result is the same as

3. OS and service scan

There’re many open ports. In summary, there’re 5 services: SSH, SMTP-related, finger, netkit-rsh, and NFS-related.

4. Vuln scan

The result is not useful to me right now.

5. SSH

No any banner.

6. Finger

Finger can be used to enumerate usernames. I used this list:

And this script:

I got 2 usernames: root and user.

7. NFS

I got a mountable directory.

Let’s mount it

Permission denied

Verify permssion

It belongs to vulnix.

Create fake user

Since the directory is /home/vulnix. I can create ssh key-pair and use it to login as vulnix to the target machine via opened SSH service.

Copy the key

Now I got the SSH shell.

Privilege Escalation

  1. Directory enumeration

I found nothing in


Prepare attacker machine to be file server

Download to target machine

I found this interesting.

Verify sudo

I can edit /etc/exports.

3. edit /etc/exports

This file is related to the NFS service. I can add /root directory and mount it from the target machine.

Add this line

Save and restart the target machine.

Scan again

Now, I can mount /root.

Mount /root



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store