FULLMOUNTY

OS = Linux

Difficulty = Easy

Nmap scan

Enumerating other ports gives nothing IG🧐.

let’s move to nfs

you can learn more about NFS enumeration here

so let’s list the shares mount it

mkdir /tmp/mount

showmount -e 10.150.150.134

sudo mount -t nfs -o vers=3 10.150.150.134:/srv/exportnfs /tmp/mount/ -o nolock

from the result we have an ssh private key which can be used for sshing into the box 🔥

reading the public key id_rsa.pub we have a user deadbeef

let’s give permission to the ssh key file

chmod 600 id_rsa

so ssh -i id_rsa deadbeef@10.150.150.134

And yeah we have the user flag 😎😎.

Privilege escalation

The Kernel version is vulnerable to dirtycow exploit

to confirm that run uname -a

Also, for you to be able to exploit it, you need to compile the exploit on an Ubuntu machine with the same kernel version😪.

Doing that i was able to escalate privilege successfully

Thanks.