Date
Mar 23, 2025 → Mar 23, 2025
Tag
Nmap
Web Exploitation
Privilege Escalation Techniques
192.168.140.216
Nmap
└─# nmap -sT -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-23 03:11 EDT
Nmap scan report for 192.168.140.216
Host is up (0.062s latency).
Not shown: 65526 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
2049/tcp open nfs
34239/tcp open unknown
42211/tcp open unknown
47845/tcp open unknown
49837/tcp open unknown
50641/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 13.92 seconds
└─# nmap -sU -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-23 03:11 EDT
Warning: 192.168.140.216 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.140.216
Host is up (0.071s latency).
Not shown: 65381 open|filtered udp ports (no-response), 148 closed udp ports (port-unreach)
PORT STATE SERVICE
111/udp open rpcbind
2049/udp open nfs
35943/udp open unknown
39538/udp open unknown
47522/udp open unknown
60884/udp open unknown
Nmap done: 1 IP address (1 host up) scanned in 145.23 seconds
└─# nmap -Pn -n $ip -sC -sV -p- --open -oN nmap.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-23 03:13 EDT
Nmap scan report for 192.168.140.216
Host is up (0.065s latency).
Not shown: 65517 closed tcp ports (reset), 10 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
| 256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
|_ 256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|http-title: Lunar Studio
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 3 2049/udp nfs
| 100003 3,4 2049/tcp nfs
| 100005 1,2,3 39538/udp mountd
| 100005 1,2,3 45271/tcp mountd
| 100021 1,3,4 34853/tcp nlockmgr
| 100021 1,3,4 39816/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/udp nfs_acl
2049/tcp open nfs 3-4 (RPC #100003)
34853/tcp open nlockmgr 1-4 (RPC #100021)
37339/tcp open mountd 1-3 (RPC #100005)
40115/tcp open mountd 1-3 (RPC #100005)
45271/tcp open mountd 1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.65 seconds
2049

Access was denied
80


download and we can see their password identify logic in php file login.php

[email protected] is username and we need to bypass strcmp via add [] in password


After we login, we can see the php file dashboard we are accessing, so we check dashboard if there are any suspicious content.

If the ext is not set, it defaults to .php. However, if ext is specified, that file will be included in the current page.

we use Remote Code Execution in php access.log so that we can use reverse shell now

and then we found liam’s ssh key in /opt, so we can log in as liam

we use linpeas.sh to see any information we can used



we use first one, since we already check nfs only allow for localhost, so we add our IP to hosts to be localhost.

and then since this path is no_root_squash, so that we can use this to PE, first we write a C program to PE the bash or something you want
and then compile it

add the setuid bit (chmod +s) to the file and execute it on the target machine

got it