Start scanning the host for open ports with nmap
Nmap –T4 –A –p- 192.168.1.19 –vv


There are a mounted ports where we can check for mounted drives on the host by running showmount –e

Now lets create a mounted folder on our machine and mount it to /tmp

It gave us a Permission denied … googling it came with something called root squashing , so lets try something else like brute forcing ssh, lets first enumerate usernames

Using ssh enumeration with /usr/share/metasploit-framework/data/wordlists/http_default_users.txt for usernames got three hits with root – user – sys
Then brute foce ssh : hydra -l user -P /root/pass/rockyou.txt ssh://192.168.1.19 –t 4

Got in and viewing /etc/passwd we can see the user vulnix with his GID and UID, now back to our machine and creating new user vulnix with : adduser –u 2008 vulnix , then generating ssh keys and copying it to /tmp/vulnix/.ssh


Logging to ssh using ssh vulnix@192.168.1.19

And running sudo –l give us this :

Then edit the file to look like this

Restart the host (VM) so the changes take place and then follow the steps we did with mounting the vulnix user on our machine to access the root directory :
Cd /tmp
Mkdir root
Mount –t nfs 192.168.1.19:/root /tmp/root
Cd /tmp/root
Ls
Cat trophy.txt
