Shares is a windows machine hosted by CyberSecLabs. Let’s dive in and start with a port scan.

Using nfs-showmount script provided by nmap we can see the share.

We can mount the share and check its content as follows.

The directory that interests us is .ssh. In there we can find a backup of id_rsa. Using ssh2john and JtR we can crack it.

The only problem is that the initial scan did not find the ssh port so let’s do a full range port scan.

It can be noticed that the SSH is running on port 27853. Time to login.

Doing a little bit of enumeration we can see there is another user on the machine and we can execute pkexec & python3 as that user.

In order to switch to the second user i made a simple script that would prompt a shell.

It seems we can run ssh as root. Using GTFOBins we can spawn a root shell with the following command: sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x.

And you have successfully rooted the machine! I hope you enjoyed this room and you’ve learned something new.