FourandSix:2-writeup 01/19 Update SLTechnology News&Howtos

FourandSix:2-writeup

2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

Nmap scanning

Nmap-sS-Pn-A 10.129.10.105 queries open ports and services: 22-ssh, 111-rpcbind, 2049-nfs, 612-mountd, as shown below:

Mountd service check

Showmount-e 10.129.10.105 found that there is a directory that can be mounted remotely: / home/user/storage (everyone) after trying to mount the directory and its parent directory, it is found that only the directory can be mounted: / home/user/storage (everyone)

Mount the directory: mount-t nfs 10.129.10.105:/home/user/storage / tmp/test, and find a compressed file: backup.7z

When decompressing the compressed package, we found that there was a password, so we began to crack the compressed package password, which can be cracked using rarcrack brute force or through the 7z command to explode the dictionary. The rarcrack cracking command is: rarcrack-- threads 4-- type 7z backup.7z;7z cracking script: 7z-crack

. / 7z-crack.sh / tmp/backup.7z / usr/share/wordlists/rockyou.txt

Finally, the 7z cracking script successfully cracked the compressed package password: chocolate

Zip file check

Compressed package pressurized, found id_rsa and id_rsa.pub, so guess can be directly through id_rsa.pub login, in XSHELL through id_rsa.pub login, need to enter a password, so, use the tool to crack the id_rsa file password, crack the tool.

. / id_rsa-crack.sh / tmp/id_rsa / usr/share/wordlists/rouckyou.txt

Finally, get the id_rsa password: 12345678

Shell raises the right

After entering shell, it is found that the current user is a ksh and the system is FreeBSD 6.4. after searching, it is found that there are no vulnerabilities in the kernel that can be used to claim rights, so we focus on configuration, files and services. Found that there is a doas configuration under the etc directory, and found that the current user can use doas to root access / usr/bin/less to access / var/log/auth.log file, so think of SUID rights in the linux system, so, try to jump from less to shell, and finally can not jump, the reason is not clear; after entering h, you can find that you can use e to read a new file, so read to flag.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.