AoC3#12: Sharing Without Caring CTF

Continuing on with our TryHackMe challenge, we’re now onto Day 12 – Sharing without Caring. This CTF challenge sees us performing some more network activity, including exploring and mounting some NFS shares. Finding someone’s old SSH keys is a nice benefit too.

I recently wrote up Day 11 – Where Are The Reindeers. A Window’s MS SQL CTF challenge.

Port scanning w/ nmap

Being told its a Window’s box, means we should use the -Pn switch by default.

I scan the default 1000, choosing to get some additional information with switches like -sV and -vv.

─$ sudo nmap -T5 -Pn -n -sV -vv | tee nmap.txt

Starting Nmap 7.92 at 2021-12-28 07:51 EST
NSE: Loaded 45 scripts for scanning.
Initiating SYN Stealth Scan at 07:51
Scanning [1000 ports]
Discovered open port 3389/tcp on
Discovered open port 22/tcp on
Scanned at 2021-12-28 07:51:37 EST for 75s
Not shown: 993 filtered tcp ports (no-response)
22/tcp   open  ssh           OpenSSH for_Windows_7.7 
111/tcp  open  rpcbind       2-4 (RPC #100000)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
????/tcp open  mountd        1-3 (RPC #100005)
3389/tcp open  ms-wbt-server Microsoft Terminal Services

There’s only one service here we actually care about; and the version information is largely irrelevant, but its all good exposure.

Mounting the network shares

Then we show the shares hosted by mountd; all remotely. This concept was new to me so it was pretty eye opening.

showmount -e {ip}

This exposes some basic information we can use:

└─$ showmount -e

Export list for
/share        (everyone)

/my-notes     (noone)
/confidential (everyone)

I then mounted the shares using just the IP and share name:

└─$ mkdir share_mount  
└─$ sudo mount share_mount 

After that point its just a simple matter of file exploration and repeating your actions for the next few questions.

We’re told to use md5sum on a file, to confirm with the CTF challenge we’ve actually found a file. This is the 2nd or 3rd time recently I’ve used this simple function to confirm either accessibility or integrity (last time was after transferring files using nc).

Once I had found SSH id_rsa file the room was completed. I felt this room could have gone for a lot longer, showing more functionality of the NFS, but I guess we were covering just the very basics only.

Onto Day 13, where we compromise a Window’s box, get a reverse shell and escalate our privileges from a simple user to an admin – all using a vulnerable backup facility.

Leave a Reply

Your email address will not be published. Required fields are marked *