Close
Writeup – CSL – Shares

Writeup – CSL – Shares

As the first box I’m doing from the great guys over at CyberSecLabs (https://www.cyberseclabs.co.uk/), let’s fire it up and get to work!

Turn this bad boy on!

After adding the alias shares.csl to my /etc/hosts file, I kicked off AutoRecon and took a close look at the results. Here we see port 21 (FTP), port 80 (HTTP), port 111 (RPC), port 2049 (NFS), and port 27853 (Running SSH!), as well as some higher level ports. This high SSH port seemed odd to me.

Looking into the easy ports here, with NFS (Network File Sharing), we take a look at the nmap scan that was run on Port 111, and we see the following mount:

The *.*.*.* means it can be mounted by any IP address.

We mount this drive and see what we’ve got:

How to mount the directory. There’s more!

Thinking back to the high-port number running SSH, I bet that .ssh directory may be interesting!

Boom, private key!

Unfortunately, when you try using the private SSH key to login, and if you paid attention above, you’ll be denied access, asking for a passphrase, as the key is …. ENCRYPTED! But have no fear, ssh2john is here!

Prep the key for cracking!

Once you have it prepped for john, run john with the rockyou.txt wordlist to find the passphrase for the original key!

Boom. Now let’s login.

Now that we have the passphrase, don’t forget to chmod 600 the original private key and let’s login. Once logged in, run sudo -l, and we see there’s a user named amy that we can run /usr/bin/pkexec or /usr/bin/python3 as.

Getting somewhere now!

It’s trivial at this point to get on as amy. Simply search GTFOBins for the python binary, and take a look at sudo privileges, https://gtfobins.github.io/gtfobins/python/. Switching users to amy and running python is a breeze.

And we’re amy!

Now, as amy, don’t forget to get the access.txt flag, and let’s sudo -l again! Now you see that we can run /usr/bin/ssh as anyone we want with no password, including root!

GTFOBins again? No way!

A quick trip back to GTFOBins shows us the way. Just look under sudo for ssh: https://gtfobins.github.io/gtfobins/ssh/

Don’t forget that system flag!

Thanks for tuning in to the first box I’ve gone after in the Beginner section of CyberSecLabs! I’m truly enjoying the quality of the content they’re providing here so far, and stay tuned for more!

How Life Can Change in a Month

A short month ago I had this idea in my head, after being exposed to the world of Twitch via my kids and a couple of people I’ve learned from – why not try it myself? So I tugged on my Logitech headset, turned on my webcam, and proceeded to make a fool out of myself attempting to get through rooms on a website called TryHackMe. Thanks to the awesome people in the Ur-Hackr.com Discord, the VetSec Inc. Slack, and my amazing family, I’ve stuck with it now for a month. Monday-Friday, 5pm PST, on Twitch, beating my head against a keyboard.

I also recorded a 5 minute trial course on Cybrary.it, only to seemingly see it fall through (FYI, I got ghosted, for anyone else that gets any of their recruiting emails). I upped my participation in VetSec a bit, and learned a lot about the industry I’m transitioning into. I finished my second course on the path to a Masters Degree, and started the third.

Over the month, I figured my streaming would be a good outlet for me to get some practice time, and if a few people came to say hi online, so be it. I didn’t expect what really happened. In a short month, the generosity of community has been amazing. As I sit writing this, 156 people follow my stream (basically, they’ve agreed to get email notices when I go live). Additionally, 25 people have subscribed in total, which means they’ve paid to eliminate advertisements for themselves on my stream and support me monetarily. I didn’t anticipate either. I had hoped for maybe 25 followers and a couple subs. Blown. Away.

In addition to this, thanks to the leadership at VetSec Inc. and the wonderful sponsorship by eLearnSecurity, I was gifted a Cybersecurity course called Penetration Testing Student. This past week I passed the exam and am now a certified eJPT.

Finally, even though I can’t go into too much details yet, my work with VetSec, Inc., is just beginning. For anyone that is a veteran interested in CyberSecurity, or is active duty and looking for more information on the Information Security domain, please contact me or visit VetSec at https://veteransec.com. My work there is only beginning and I look forward to sharing more of my journey with all of you! Stay tuned!