Grinch Enterprises has been leaving traces of how their hackers have been accessing data from the system – you’ve found a unique server they use. We need your help to find out what method they’ve been using to extract any data.

We have noticed that the machine is generating unusual traffic. We highly suspect that Grinch Enterprises are using it to access our data. We will use Nmap to discover the services are running on their server.

We covered enumerating and interacting with NFS or network file system on a Windows machine. This was part of TryHackMe Advent of Cyber 3 Day 12.

Finding and Enumerating NFS Shares

First things first, I run an Nmap scan on the target machine. A quick tip for scanning Windows machines: it’s a good idea to use the -Pn flag to disable ping discovery, otherwise, you might not see all the open ports. The scan reveals about seven open ports, and I spot mountd running, which is a dead giveaway for an NFS service.

With NFS confirmed, I use the showmount -e command to list all the network shares on the machine. This reveals four shares: /share, /adminfiles, /mynotes, and /confidential.

Mounting the Shares and Finding Loot

Now for the fun part: I try to mount each of these shares to my own local system so I can see what’s inside. I create a local directory to act as my mount point.

I run into some “access denied” errors when trying to mount /adminfiles and /mynotes, which is a good reminder of why proper permissions on these shares are so important. However, I’m able to successfully mount /share and /confidential.

Inside the /share directory, I find a couple of text files. I open one up and find its title is “meditations.” The real jackpot, though, is in the /confidential share. Inside, I find an ssh directory, and within that, a private key file named id_rsa. This is a huge find! To complete the challenge, I calculate the MD5 hash of this private key.

Technical Commands

Here’s a list of the commands I used in my terminal during this investigation:

  • Nmap Scan:
    • nmap -Pn -sV <IP_address>
  • Enumerate NFS Shares:
    • showmount -e <IP_address>
  • Mounting and File Operations:
    • mkdir local_shares
    • mount <IP_address>:<share_name> <local_directory_path>
    • ls
    • cd <directory>
    • cat <file>
    • nano <file>
  • Calculating MD5 Hash:
    • md5sum id_rsa

TryHackMe Advent of Cyber 3 Day 12 Challenge Answers

Scan the target server with the IP MACHINE_IP. Remember that MS Windows hosts block pings by default, so we need to add -Pn, for example, nmap -Pn MACHINE_IP for the scan to work correctly. How many TCP ports are open?
 

Network File System (NFS) is a protocol that allows the ability to transfer files between different computers and is available on many systems, including MS Windows and Linux. Consequently, NFS makes it easy to share files between various operating systems.

In the scan results you received earlier, you should be able to spot NFS or mountd, depending on whether you used the -sV option with Nmap or not. Which port is detected by Nmap as NFS or using the mountd service?

 

Now that we have discovered an NFS service is listening, let’s check what files are being shared. We can do this using the command showmount. In the terminal below, we run showmount -e MACHINE_IP. The -e or --exports show the NFS server’s export list.

As we can see in the terminal output above, we have two shares, /share and /my-notes. After you have started the attached machine, use the AttackBox terminal to discover the shares on MACHINE_IP.

How many shares did you find?

 

How many shares show “everyone”?

 

Let’s try to mount the shares we have discovered. We can create a directory on the AttackBox using mkdir tmp1, where tmp1 is the directory’s name. Then we can use this directory  we created to mount the public NFS share using: mount MACHINE_IP:/my-notes tmp1.

There are two text files. We can open the file using any text editor such as nano FILENAME or something quicker such as less FILENAME.

What is the title of file 2680-0.txt?

 

It seems that Grinch Enterprises has forgotten their SSH keys on our system. One of the shares contains a private key used for SSH authentication (id_rsa). What is the name of the share?

 

We can calculate the MD5 sum of a file using md5sum FILENAME. What is the MD5 sum of id_rsa?

 

Video Walk-Through

 

, ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles