AoC3#12: Sharing Without Caring CTF
Continuing on with our TryHackMe challenge, we’re now onto Day 12 – Sharing without Caring. This CTF challenge sees us performing some more network activity, including exploring and mounting some NFS shares. Finding someone’s old SSH keys is a nice benefit too.
I recently wrote up Day 11 – Where Are The Reindeers. A Window’s MS SQL CTF challenge.
Port scanning w/ nmap
Being told its a Window’s box, means we should use the -Pn switch by default.
I scan the default 1000, choosing to get some additional information with switches like -sV and -vv.
─$ sudo nmap 10.10.19.46 -T5 -Pn -n -sV -vv | tee nmap.txt
Starting Nmap 7.92 at 2021-12-28 07:51 EST
NSE: Loaded 45 scripts for scanning.
Initiating SYN Stealth Scan at 07:51
Scanning 10.10.19.46 [1000 ports]
Discovered open port 3389/tcp on 10.10.19.46
Discovered open port 22/tcp on 10.10.19.46
...
Scanned at 2021-12-28 07:51:37 EST for 75s
Not shown: 993 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.7
111/tcp open rpcbind 2-4 (RPC #100000)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
????/tcp open mountd 1-3 (RPC #100005)
3389/tcp open ms-wbt-server Microsoft Terminal Services
There’s only one service here we actually care about; and the version information is largely irrelevant, but its all good exposure.
Mounting the network shares
Then we show the shares hosted by mountd; all remotely. This concept was new to me so it was pretty eye opening.
showmount -e {ip}
This exposes some basic information we can use:
└─$ showmount -e 10.10.19.46
Export list for 10.10.19.46:
/share (everyone)
...
/my-notes (noone)
/confidential (everyone)
I then mounted the shares using just the IP and share name:
┌──(kali㉿kali)-[~/ctf/tryhackme/adventofcyber2021/day12]
└─$ mkdir share_mount
┌──(kali㉿kali)-[~/ctf/tryhackme/adventofcyber2021/day12]
└─$ sudo mount 10.10.19.46:/share share_mount
After that point its just a simple matter of file exploration and repeating your actions for the next few questions.
We’re told to use md5sum on a file, to confirm with the CTF challenge we’ve actually found a file. This is the 2nd or 3rd time recently I’ve used this simple function to confirm either accessibility or integrity (last time was after transferring files using nc).
Once I had found SSH id_rsa file the room was completed. I felt this room could have gone for a lot longer, showing more functionality of the NFS, but I guess we were covering just the very basics only.
Onto Day 13, where we compromise a Window’s box, get a reverse shell and escalate our privileges from a simple user to an admin – all using a vulnerable backup facility.