Shares is a windows machine hosted by CyberSecLabs. Let’s dive in and start with a port scan.

Using nfs-showmount
script provided by nmap we can see the share.

We can mount the share and check its content as follows.

The directory that interests us is .ssh
. In there we can find a backup of id_rsa. Using ssh2john and JtR we can crack it.

The only problem is that the initial scan did not find the ssh port so let’s do a full range port scan.

It can be noticed that the SSH is running on port 27853. Time to login.

Doing a little bit of enumeration we can see there is another user on the machine and we can execute pkexec
& python3
as that user.

In order to switch to the second user i made a simple script that would prompt a shell.

It seems we can run ssh as root. Using GTFOBins we can spawn a root shell with the following command: sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
.

And you have successfully rooted the machine! I hope you enjoyed this room and you’ve learned something new.