[CSL] Shares

Shares is a windows machine hosted by CyberSecLabs. Let’s dive in and start with a port scan.

Initial NMap scan

Using nfs-showmount script provided by nmap we can see the share.

NMap show mount

We can mount the share and check its content as follows.

Mounting the share

The directory that interests us is .ssh. In there we can find a backup of id_rsa. Using ssh2john and JtR we can crack it.

Cracking the SSH key

The only problem is that the initial scan did not find the ssh port so let’s do a full range port scan.

Full range port scan

It can be noticed that the SSH is running on port 27853. Time to login.

Logging in

Doing a little bit of enumeration we can see there is another user on the machine and we can execute pkexec & python3 as that user.


In order to switch to the second user i made a simple script that would prompt a shell.

Switching the user

It seems we can run ssh as root. Using GTFOBins we can spawn a root shell with the following command: sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x.

Privilege escalation

And you have successfully rooted the machine! I hope you enjoyed this room and you’ve learned something new.