The video is a tutorial on exploiting NFS (Network File System) vulnerabilities as part of the TryHackMe Network Services 2 room.

The video covers the Network Services 2 room on TryHackMe, focusing on NFS and its exploitation. The video is part of the CompTIA Pentest+ pathway, and it breaks down the various tasks associated with this room into multiple videos. The current video addresses the first four tasks, which include setting up and exploiting an NFS vulnerability.

Get Blue Team Notes

Overview of The NFS Protocol

NFS is a protocol similar to SMB, used for sharing files between clients and servers. It allows the client to interact with remote files as if they were on a local system.

NFS uses a process called mounting to connect directories on the client and server.

RPC (Remote Procedure Call) is the protocol used to communicate between the client and the NFS server.

NFS Enumeration

The instructor scans the target machine to identify open ports using Nmap, discovering that NFS is running on port 2049.

After identifying the running NFS service, the next step is to list the shared directories using the showmount command.

The post shows how to use this command to reveal the shared directory.

Exploiting NFS

Once the shared directory is found, the instructor demonstrates how to mount the remote NFS directory onto the local system using the mount command.

After mounting the directory, the video shows how any changes made on the local machine will replicate to the NFS server. This includes editing files or uploading new ones.

The instructor accesses an SSH directory in the mounted share and finds a private SSH key.

By copying the private key to the local machine, they use it to log in to the target system as the user Cappuccino and gain access to a low-privileged shell.

Privilege Escalation

With the low-privileged shell, the next step is to escalate privileges to root.

The video demonstrates how to upload a bash exploit with SUID bit permissions to the NFS share, which allows the binary to run with root privileges when executed on the server.

After setting the SUID bit and executing the exploit, the instructor gains root access and retrieves the flag from the root directory.

The video ends by discussing ways to prevent such attacks.

Key recommendations include properly managing permissions on the NFS server, limiting who can access and modify shared files, and ensuring that anonymous users are not allowed unchecked access to sensitive directories.

Room Answers | TryHackMe Network Services 2

 

What does NFS stand for?

 
What process allows an NFS client to interact with a remote directory as though it was a physical device?
 
What does NFS use to represent files and directories on the server?
 

What protocol does NFS use to communicate between the server and client?

 

What two pieces of user data does the NFS server take as parameters for controlling user permissions? Format: parameter 1 / parameter 2

 

Can a Windows NFS server share files with a Linux client? (Y/N)

 

Can a Linux NFS server share files with a MacOS client? (Y/N)

 

What is the latest version of NFS? [released in 2016, but is still up to date as of 2020] This will require external research.

Conduct a thorough port scan scan of your choosing, how many ports are open?

 

Which port contains the service we’re looking to enumerate?

 

Now, use /usr/sbin/showmount -e [IP] to list the NFS shares, what is the name of the visible share?

 

Time to mount the share to our local machine!

First, use “mkdir /tmp/mount” to create a directory on your machine to mount the share to. This is in the /tmp directory- so be aware that it will be removed on restart.

Then, use the mount command we broke down earlier to mount the NFS share to your local machine. Change directory to where you mounted the share- what is the name of the folder inside?

 

Have a look inside this directory, look at the files. Looks like  we’re inside a user’s home directory…

 

Interesting! Let’s do a bit of research now, have a look through the folders. Which of these folders could contain keys that would give us remote access to the server?

 

Which of these keys is most useful to us?

 

Copy this file to a different location your local machine, and change the permissions to “600” using “chmod 600 [file]”.

Assuming we were right about what type of directory this is, we can pretty easily work out the name of the user this key corresponds to.

Can we log into the machine using ssh -i <key-file> <username>@<ip> ? (Y/N)

First, change directory to the mount point on your machine, where the NFS share should still be mounted, and then into the user’s home directory.

 

Download the bash executable to your Downloads directory. Then use “cp ~/Downloads/bash .” to copy the bash executable to the NFS share. The copied bash shell must be owned by a root user, you can set this using “sudo chown root bash”

 

Now, we’re going to add the SUID bit permission to the bash executable we just copied to the share using “sudo chmod +[permission] bash”. What letter do we use to set the SUID bit set using chmod?

 
Let’s do a sanity check, let’s check the permissions of the “bash” executable using “ls -la bash”. What does the permission set look like? Make sure that it ends with -sr-x.
 

Now, SSH into the machine as the user. List the directory to make sure the bash executable is there. Now, the moment of truth. Lets run it with “./bash -p“. The -p persists the permissions, so that it can run as root with SUID- as otherwise bash will sometimes drop the permissions.

 

Great! If all’s gone well you should have a shell as root! What’s the root flag?

What does SMTP stand for?

 

What does SMTP handle the sending of? (answer in plural)

 

What is the first step in the SMTP process?

 
What is the default SMTP port?
 

Where does the SMTP server send the email if the recipient’s server is not available?

 
On what server does the Email ultimately end up on?
 

Can a Linux machine run an SMTP server? (Y/N)

 

Can a Windows machine run an SMTP server? (Y/N)

First, lets run a port scan against the target machine, same as last time. What port is SMTP running on?

 

Okay, now we know what port we should be targeting, let’s start up Metasploit. What command do we use to do this?

If you would like some more help or practice using Metasploit, TryHackMe has a module on Metasploit that you can check out here:

https://tryhackme.com/module/metasploit

 
Let’s search for the module “smtp_version”, what’s it’s full module name?
 

Great, now- select the module and list the options. How do we do this?

 

Have a look through the options, does everything seem correct? What is the option we need to set?

 

Set that to the correct value for your target machine. Then run the exploit. What’s the system mail name?

 

What Mail Transfer Agent (MTA) is running the SMTP server? This will require some external research.

 
Good! We’ve now got a good amount of information on the target system to move onto the next stage. Let’s search for the module “smtp_enum“, what’s it’s full module name?
 

We’re going to be using the “top-usernames-shortlist.txt” wordlist from the Usernames subsection of seclists (/usr/share/wordlists/SecLists/Usernames if you have it installed).

Seclists is an amazing collection of wordlists. If you’re running Kali or Parrot you can install seclists with: “sudo apt install seclists” Alternatively, you can download the repository from here.

What option do we need to set to the wordlist’s path?

 

 

Once we’ve set this option, what is the other essential paramater we need to set?

 

Now, run the exploit, this may take a few minutes, so grab a cup of tea, coffee, water. Keep yourself hydrated!

 

Okay! Now that’s finished, what username is returned?

What is the password of the user we found during our enumeration stage?

 

Great! Now, let’s SSH into the server as the user, what is contents of smtp.txt

What type of software is MySQL?

 

What language is MySQL based on?

 

What communication model does MySQL use?

 

What is a common application of MySQL?

 

What major social network uses MySQL as their back-end database? This will require further research.

As always, let’s start out with a port scan, so we know what port the service we’re trying to attack is running on. What port is MySQL using?
 

Good, now- we think we have a set of credentials. Let’s double check that by manually connecting to the MySQL server. We can do this using the command “mysql -h [IP] -u [username] -p

 

Okay, we know that our login credentials work. Lets quit out of this session with “exit” and launch up Metasploit.

 

We’re going to be using the “mysql_sql” module.

Search for, select and list the options it needs. What three options do we need to set? (in descending order).

 
Run the exploit. By default it will test with the “select version()” command, what result does this give you?
 

Great! We know that our exploit is landing as planned. Let’s try to gain some more ambitious information. Change the “sql” option to “show databases”. how many databases are returned?

First, let’s search for and select the “mysql_schemadump” module. What’s the module’s full name?

 
Great! Now, you’ve done this a few times by now so I’ll let you take it from here. Set the relevant options, run the exploit. What’s the name of the last table that gets dumped?
 
Awesome, you have now dumped the tables, and column names of the whole database. But we can do one better… search for and select the “mysql_hashdump” module. What’s the module’s full name?
 

Again, I’ll let you take it from here. Set the relevant options, run the exploit. What non-default user stands out to you?

 

Another user! And we have their password hash. This could be very interesting. Copy the hash string in full, like: bob:*HASH to a text file on your local machine called “hash.txt”.

What is the user/hash combination string?

 

Now, we need to crack the password! Let’s try John the Ripper against it using: “john hash.txt” what is the password of the user we found?

 

Awesome. Password reuse is not only extremely dangerous, but extremely common. What are the chances that this user has reused their password for a different service?

What’s the contents of MySQL.txt

 

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles