{"id":142,"date":"2023-06-10T21:33:42","date_gmt":"2023-06-10T21:33:42","guid":{"rendered":"https:\/\/justatrainingblog.co.uk\/?p=142"},"modified":"2023-06-10T21:33:42","modified_gmt":"2023-06-10T21:33:42","slug":"thm-exploiting-unsecured-nfs","status":"publish","type":"post","link":"https:\/\/justatrainingblog.co.uk\/?p=142","title":{"rendered":"THM – Exploiting unsecured NFS"},"content":{"rendered":"\n

As part of the Network Services room in TryHackMe, one of the areas covered is NFS. I will cover the technology in more detail at a later point but this article is dedicated towards a practice senario concerning how an unsecured NFS share can be exploited. <\/p>\n\n\n\n

To start with as always, we need to find what the server is running. To do so we run Nmap. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Ok so we can see that port 2049 is open running NFS. This is the generally default port for this protocol so nothing surprising here. <\/p>\n\n\n\n

So now we know nfs is open on the machine lets check for any shares<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Perfect, we have a share called \/home. Lets try mounting it to our own machine. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

and now lets see if we can access it<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

We can! We can see in the home directory a folder named Cappucino. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Accessing the folder reveals a number of folders. The one we really find interesting here is .ssh. <\/p>\n\n\n\n

Accessing the folder shows a file named rsa_id, this is the defualt name for SSH private keys so is exactly what we need (unfortunately lost the screenshots). By running mv rsa_id \/root we moved the file to our local directory. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Next we run chmod 600 to change the permissions to something our machine can access and finally we’ll try connecting using an assumed username of Cappucino:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Success! We have now signed in remotely as Cappucino .<\/p>\n","protected":false},"excerpt":{"rendered":"

As part of the Network Services room in TryHackMe, one of the areas covered is NFS. I will cover the…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[2,3],"tags":[],"class_list":["post-142","post","type-post","status-publish","format-standard","hentry","category-learning","category-tryhackme"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/142","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=142"}],"version-history":[{"count":1,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/142\/revisions"}],"predecessor-version":[{"id":150,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/142\/revisions\/150"}],"wp:attachment":[{"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=142"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=142"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=142"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}