Grinch Enterprises has been leaving traces of how their hackers have been accessing data from the system – you’ve found a unique server they use. We need your help to find out what method they’ve been using to extract any data.

We have noticed that the machine is generating unusual traffic. We highly suspect that Grinch Enterprises are using it to access our data. We will use Nmap to discover the services are running on their server.

We covered enumerating and interacting with NFS or network file system on a Windows machine. This was part of TryHackMe Advent of Cyber 3 Day 12.

Challenge Answers

Scan the target server with the IP MACHINE_IP. Remember that MS Windows hosts block pings by default, so we need to add -Pn, for example, nmap -Pn MACHINE_IP for the scan to work correctly. How many TCP ports are open?

Network File System (NFS) is a protocol that allows the ability to transfer files between different computers and is available on many systems, including MS Windows and Linux. Consequently, NFS makes it easy to share files between various operating systems.

In the scan results you received earlier, you should be able to spot NFS or mountd, depending on whether you used the -sV option with Nmap or not. Which port is detected by Nmap as NFS or using the mountd service?

Now that we have discovered an NFS service is listening, let’s check what files are being shared. We can do this using the command showmount. In the terminal below, we run showmount -e MACHINE_IP. The -e or --exports show the NFS server’s export list.

As we can see in the terminal output above, we have two shares, /share and /my-notes. After you have started the attached machine, use the AttackBox terminal to discover the shares on MACHINE_IP.

How many shares did you find?

How many shares show “everyone”?

Let’s try to mount the shares we have discovered. We can create a directory on the AttackBox using mkdir tmp1, where tmp1 is the directory’s name. Then we can use this directory  we created to mount the public NFS share using: mount MACHINE_IP:/my-notes tmp1.

There are two text files. We can open the file using any text editor such as nano FILENAME or something quicker such as less FILENAME.

What is the title of file 2680-0.txt?

It seems that Grinch Enterprises has forgotten their SSH keys on our system. One of the shares contains a private key used for SSH authentication (id_rsa). What is the name of the share?

We can calculate the MD5 sum of a file using md5sum FILENAME. What is the MD5 sum of id_rsa?

Video Walk-Through

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles