Tips for an Information Security Analyst/Pentester career - Ep. 39: NFS shares

When we analyzed NSE, I'd performed an analysis of our Ubuntu target.

By using the nfs-ls script, I found a share called export/georgia, accessible to everyone.

This share contained a hidden folder called .ssh, which is a very juicy information.

Said folder, in fact, normally holds SSH public and private key pair, allowing to securely SSH to a server without a password.

As matter of fact, this is our case, too.

Though we don't know the password for user georgia, we should be able to steal her keys and authenticate through them.

Steps

a) Mount the share to Kali

We first create a directory called /tmp/georgia, where we mount the share to our Kali attacking machine through the command: mount -t nfs 192.168.1.95:/export/georgia /tmp/georgia

Analyzing the contents of this new directory, we see the public and private key pair for user georgia.

b) Copy the keys locally 

At this point, we can copy those keys over to Kali /root/.ssh directory.

Next, we add a new identity for ourselves (ssh-add).

NOTATION: This must be done from /root/.ssh, otherwise we won't succeed.

Now, let's attempt to SSH to Ubuntu.

We'll be prompted to continue our connection because the server can't establish the authenticity of the host.

Simply enter yes  (this isn't shown in the video, because I had attempted a connection before and, once you answer that way, that prompt isn't displayed anymore).

We're in and, though we don't know georgia's password, and so we can't elevate to root, we can perform some operations.

I was able to view a file called financial_information.txt, for example.

Wrap-up

Shares are very handy for collaboration purposes, but they have to be properly configured, otherwise they can open a backdoor in your network.

Episode 40

Episode 38