Nmap Challenge 2 — Rangeforce Pentester

Your friend Jack has been playing around with NFS shares and has asked you to take a look to see if any share can be exploited to gain remote access.

Gain Access

Enumerate the target NFS server and look for an attack vector that can lead to remote access.

Jack has placed a flag inside the machine for you to retrieve.

The server’s IP address is 192.168.6.2.

• Gain access to the server
• Retrieve the flag from /var/flag.txt

What’s the flag in /var/flag.txt?

First I’ll enumerate the NFS server using nmap.

There are 2 shares, and the flag should be located on /var/nfs/private. Let’s mount the shares. Once mounted I can see /home directory and inside lies the /jack directory.

Once inside jack’s directory I test to see if I can add a test file by writing to the share.

It works! I also see I have read/write/execute privileges on the .ssh directory. I’ll create ssh keys so that I can ssh into the server.

I confirm the keys have been created.

I noticed the key ended in ‘root@desktop’, which is my current user. When I ssh into the server it asked for a password for root, which I don’t have.

I edited the public key from my current user to ‘jack@192.168.6.2’.

Then I added it to authorized_keys and successfully ssh into the server. There I captured the flag!

Mitigation

My advice to Jack is to disable SSH on the server if not needed. If it is needed, restrict access to the authorized_key file.