Observe the “rootme” file is owned by the root user. Step 13: List the content of msfadmin directory by using the ls -al command. Why to set the suid bit on this file? When a file with suid bit set is run by any user, the process will execute with the rights of the owner of the file. Set the SUID bit using the following command: Step 12: Copy the compiled binary to the msfadmin directory in NFS share. Gcc root.c -o rootme (This will compile the C file to executable binary)
Step 11: Create a C file (as given below) and compile it, using GCC on a Kali machine. In this article, we will see how a weakly configured NFS can lead us to the elevated privileges.
HOW TO USE NESSUS ENUM KALI PASSWORD
There are multiple ways to escalate the privileges in Linux like exploiting a kernel-level unpatched vulnerability, weak security configurations, weak permission on files owned by the root user, the password stored in the file system, password reuse and so on. Now we have gained a low-privilege user access to the target machine, and our objective is to escalate our privilege to the root user. Since we have created a key pair without a password and modified the “authorized_keys” file of the msfadmin user, we are logged into the system without password. Ssh -i infosec_rsa path to private username msfadmin and host IP is 10.0.50.58 (IP is changed due to the VM restart) Step 9: SSH into the remote host from the Kali machine with user msfadmin and provide the path to the private key
Step 8: Navigate to /tmp/infosec/msfadmin/.ssh folder and append the newly created public key into the authorized_key of the msfadmin user Once the command is completed, navigate to the path of the file which you have provided above and check the content of the public file. We can keep the passphrase blank by simply hitting the “Enter” button of the keyboard. Follow the steps on screen, provide the file path and passphrase. To create an SSH key pair, we will use the ssh-keygen command on our attacking machine, i.e., Kali Linux. Then log into the remote host with the victim user and own password Step 7: The approach here will be to create own SSH keys and append the newly created public key into the authorized_key of the victim user. This folder contains the public, private and authorized key for the SSH login for the specific user Step 6: Navigate to any user directory and locate the. The content listed is from the /home folder of the remote host Step 5: Navigate to /tmp/infosec directory and list the content. Once the command is executed, the following command can be used to check the directory mount: tmp/infosec: The remote home folder to be mounted on the local /tmp/infosec folder. t: Specifies the type of file system that performs the logical mount request. Step 4: Create a new directory under the tmp folder of Kali and run the following command to mount the home directory on this newly created directory If you see any IP address or the IP range defined in front of the directory, that means only the machine with that specific IP or range is allowed to mount the directory, which is a good security practice. Note the asterisk sign in front of /home, which means every machine on the network is allowed to mount the /home folder of this machine. Step 3: Check if any share is available for mount, using showmount tool in Kali: Step 2: The port scan result shows the port 2049 is open and nfs service is running on it Step 1: Start with nmap service fingerprint scan on the IP address of the hosted machine: Now, let’s start our Kali Linux machine to perform the penetration testing. Sudo /etc/init.d/nfs-kernel-server restart After doing the changes, run the following command to restart the NFS service: This file contains the configuration for NFS. To simulate the exact scenario, I have modified the export directory from “/” (root) to “/home” under “/etc/exports” file. Note the IP address of the hosted machine by running “ifconfig” command. Enter “msfadmin” as username and password when prompted for login.
0 kommentar(er)
