Let’s dig a little deeper and see if there’s some hidden directories lurking behind this web server. I don’t see a login page, or anything interesting. We have a couple of pages, some filler text, not a lot there. Future Design websiteįuture Design’s website. Browse out to the IP address of Debug, 172.31.1.5. That leaves port 80, and a web server to exploit for our initial access. Version exploits for SSH do exist, but more often then not especially in CTFs, your probably heading in the wrong direction. Typically, I’ve found those mostly to be rabbit holes, leading nowhere. If you haven’t spent a lot of time pentesting, I’ll share my experience looking for SSH exploits. This greatly reduces our initial attack surface. Port 22 hosting ssh services, and port 80 hosting a HTTP web server. You can see in the output we only have two ports to work with. Debug’s IP address is 172.31.1.5.Īs always, we start with a standard Nmap scan running default scripts, service enumeration enabled, and scanning all 65,535 ports. We’ll start with basic web exploitation for initial access and then learn a useful Linux privilege escalation technique. ssh folder which hopefully contains a private key we can utilize.ĭebug from CyberSecLabs is a beginner level Linux machine hosting a website. Here we see the contents of the user’s home folder. I’ll do that using the mount command, NFS for the type of share, followed by the IP address of the target with the path, and the local path where the share will be mounted on our local machine.Īfter mounting the share I ls -la to reveal all hidden files and folders. Now we can mount that directory to our local machine and explore the files on the share. Showmount reveals a mounted home directory for a “amir” user. I’ll start by examining the file share that’s being hosted on 2049. After that we have some higher level ports I don’t recognize, and I’ll ignore them for now. Then we have SSH on port 27853 which is also very interesting.
Next we jump to port 2049 which is hosting a NFS file share. Port 80 is hosting a web server, and we have RPC on port 111.
Nmap scan results show a handful of open ports. Here I’m scanning with -sC for default scripts, -sV for service enumeration, and -p- to scan all 65535 TCP ports. Connect to the VPN and ping your target to verify connectivity.Īs usual I’ll start with a Nmap scan of the target. We’ll get to root by abusing Sudo permissions two different ways. What we will be doing is taking advantage of a open share containing a user’s home directory with everything that entails. No reverse shells, no payloads and we also won’t be using any automated tools for enumeration during privilege escalation. Shares from CyberSecLabs is a interesting beginner box in that there’s very little actual exploitation.