https://tryhackme.com/room/corgi
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ff:95:7b:01:be:e9:07:fb:94:35:f3:04:33:85:58:85 (RSA)
| 256 f2:9b:c2:96:66:21:e6:f8:bb:a5:ee:9b:90:b8:bc:f1 (ECDSA)
|_ 256 fa:49:29:e3:f0:85:ff:e6:16:87:52:76:b1:75:3f:8e (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 35068/udp6 mountd
| 100005 1,2,3 40831/tcp6 mountd
| 100005 1,2,3 47519/udp mountd
| 100005 1,2,3 57959/tcp mountd
| 100021 1,3,4 38091/tcp nlockmgr
| 100021 1,3,4 41049/udp6 nlockmgr
| 100021 1,3,4 46391/tcp6 nlockmgr
| 100021 1,3,4 47967/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
443/tcp open http Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
2049/tcp open nfs_acl 3 (RPC #100227)
3306/tcp open mysql MySQL 5.5.5-10.1.48-MariaDB-0ubuntu0.18.04.1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.1.48-MariaDB-0ubuntu0.18.04.1
| Thread ID: 93
| Capabilities flags: 63487
| Some Capabilities: SupportsTransactions, SupportsLoadDataLocal, Speaks41ProtocolOld, SupportsCompression, Support41Auth, FoundRows, IgnoreSigpipes, ODBCClient, InteractiveClient, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, LongPassword, ConnectWithDatabase, LongColumnFlag, DontAllowDatabaseTableColumn, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments
| Status: Autocommit
| Salt: RKa)E`3y/v,r~@dV`cM9
|_ Auth Plugin Name: mysql_native_password
35751/tcp open mountd 1-3 (RPC #100005)
38091/tcp open nlockmgr 1-4 (RPC #100021)
56219/tcp open mountd 1-3 (RPC #100005)
57959/tcp open mountd 1-3 (RPC #100005)
Service Info: Host: 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
We have port NFS which run on port 2049. Network File System, or NFS, allows remote hosts to mount the systems/directories over a network. An NFS server can export a directory that can be mounted on a remote Linux machine. This allows the user to share the data centrally to all the machines in the network.
showmount -e 10.10.62.168
┌──(kali㉿kali)-[~]
└─$ showmount -e 10.10.62.168
Export list for 10.10.62.168:
/images/dev *
/images *
Now we know there are 2 directories that can be mounted
Now we can create a temporarily folder in our /mnt/ and mount the target to our machine
sudo mkdir /mnt/images && sudo mkdir /mnt/images/dev
sudo mount -v -t nfs -o vers=3,proto=tcp,nolock 10.10.62.168:/images/dev /mnt/images/dev
sudo mount -v -t nfs -o vers=3,proto=tcp,nolock 10.10.62.168:/images /mnt/images
Navigating to our local /mnt/images
┌──(kali㉿kali)-[/mnt/images]
└─$ ls -la
total 16
drwxrwxrwx 4 1001 root 4096 May 24 2021 .
drwxr-xr-x 3 root root 4096 Sep 20 11:23 ..
drwxrwxrwx 3 1001 root 4096 May 24 2021 dev
-rwxrwxrwx 1 1001 root 0 May 24 2021 .mntcheck
drwxrwxrwx 2 1001 root 4096 May 24 2021 postdownloadscripts
Checking /mnt/images/dev/postinitscripts/fog.postinit