PwnTillDawn Online Battlefield is a penetration testing lab created by wizlynx group where participants can test their offensive security skills in a safe and legal environment, but also having fun! The goal is simple, break into as many machines as possible using a succession of weaknesses and vulnerabilities and collect flags to prove the successful exploitation. Each target machine that can be compromised contains at least one “FLAG” (most of the times a file and typically located in the user’s Desktop, or the user’s root directory), which you must retrieve, and submit in the application. The flag is in the majority of the cases in a SHA1 format but not always.
We always start with an nmap scan…..
Nmap -sC -sV -oA nmap <Target-IP>
┌──(muzec㉿Muzec-Security)-[~/Documents/PTD/10.150.150.134] └─$ cat nmap.nmap # Nmap 7.91 scan initiated Wed Jun 9 07:30:18 2021 as: nmap -sC -sV -oA nmap 10.150.150.134 Nmap scan report for 10.150.150.134 Host is up (0.16s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 f6:e9:3f:cf:88:ec:7c:35:63:91:34:aa:14:55:49:cc (DSA) |_ 2048 20:1d:e9:90:6f:4b:82:a3:71:1e:a9:99:95:7f:31:ea (RSA) 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/udp nfs | 100005 1,2,3 34154/tcp mountd | 100005 1,2,3 50354/udp mountd | 100021 1,3,4 45783/tcp nlockmgr | 100021 1,3,4 48262/udp nlockmgr | 100024 1 38840/udp status |_ 100024 1 40110/tcp status 2049/tcp open nfs 2-4 (RPC #100003) 4003/tcp filtered pxc-splr-ft 8089/tcp open ssl/http Splunkd httpd |_http-server-header: Splunkd |_http-title: splunkd | ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser | Not valid before: 2019-10-28T09:51:59 |_Not valid after: 2022-10-27T09:51:59 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Jun 9 07:31:23 2021 -- 1 IP address (1 host up) scanned in 65.62 seconds
We have four open ports which is cool but seems port 80 is misiing which is a dead end also lol but guess we still have a cool port NFS which run on port 2049.
Network File System, or NFS, allows remote hosts to mount the systems/directories over a network. An NFS server can export a directory that can be mounted on a remote Linux machine. This allows the user to share the data centrally to all the machines in the network.
EXploiting NFS Share
showmount -e 10.150.150.134
Boom we have a share let create a directory and mount it.
mkdir /tmp/share mount -v -t nfs -o vers=3,proto=tcp,nolock 10.150.150.134:/srv/exportnfs /tmp/share
Let confirm it by checking the share with the directory we just mount together.
We are in the share we have FLAG49 also a private key to SSH into the machine and a public key when we can get the name for the SSH.
We can see the username already time to log in make sure you give the private key permission.
Boom we are in time to get root.
Checking for Kernal version.
Running some old version cool let hit google forsome exploits.
Nie but i use the dirtycow exploit.
Checking the box we have no
gcc compiler on it so i decided to compile it on another machine running the same kernal version now let transfer it to the target and run.
We are root and done.
PWNTILLDAWN LABS IS THE BEST WHY NOT TRY IT: FullMounty On PwnTillDawn Click Here
Greeting From Muzec