MountAndClimb - HackMD

## UrchinSec beta testing: MountAndClimb ![image](https://hackmd.io/_uploads/SkWqkTPQZe.png) ## Description This is an official writeup for the challenge "MountAndClib" which was the released during beta testing [link](https://beta.ctfzone.com). The challenge was all about performing blackbox testing where by CTF Player was required to abuse the misconfiguration and being able to get initial remote access and find the flag. ![2025-12-23_09-43](https://hackmd.io/_uploads/SJwyy6D7-g.png) ![](https://media1.giphy.com/media/v1.Y2lkPTc5MGI3NjExZnpnY244ZTQyb3R0OGdiY3I0aGkzOHNxcTNuaWh2MWk1Njg0ZG9qbSZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/XUlkWy6W6yJ5u0wPlQ/giphy.gif) ## Scanning Early assessment starts with scanning the target to identify any open ports. ![picture3](https://hackmd.io/_uploads/SJPI-aDQZl.png) ## Enumeration From scanning we can identify few open ports, but will just focus with the most interesting one for now. we have port 22(ssh),80(http) and 2049(nfs). We can not start from ssh since because we have no valid credentials, so our quick enumeration will start with http. Visiting the website we land onto the internal server error, basically there was nothing here. ![picture3](https://hackmd.io/_uploads/SysZMpvX-l.png) ### enumerating nfs Since earlier we saw port 2049 basically means nfs port is open, so we can start with finding usefull info about shares and other stuffs from it. Seeing backup file we can try to mount it and read it as follows ![picture4](https://hackmd.io/_uploads/SkUbmpPXbe.png) The file I configured earlier was backup.txt additionaly files such as hash.txt,testfile, and home directory were added by one of the player who was trying to solve it, so we will focus on backup.txt. ![picture5](https://hackmd.io/_uploads/ByQ2Q6PmZe.png) We can see that the backup.txt contains hash of user erickalex, were by we don't know if the user forgot this or what. hash: ` erickalex:$y$j9T$jP7Kctb0oUg7iRaNDLXgk/$XwVhc5PAIwcmzlZ/9i6LXXp/SpIkvK3TiabvppXN8O6:20443:0:99999:7:::` With this hash we can try to crack it with any tool of our choice but this will not work because I know the password I used is not part of any wordlists, so will proceed with other enumerations. Quick googling about enumerating nfs apart from mounting shares we find some articles explaining it here about squash stuffs. ![image](https://hackmd.io/_uploads/B1UlS6Dm-g.png) When root_squash is disabled (no_root_squash), the root user on the client maintains root privileges on the NFS share, allowing privilege escalation. Something to note is that when `no_root_squash:false` means we can even escalete privilege in this environment, I found this article from nxc [reference](https://www.netexec.wiki/nfs-protocol/enumeration) very usefully when dealing with nfs, from mounting and dealing with squash stuffs. ![picture6](https://hackmd.io/_uploads/H1drUaPXWe.png) From the image above we can even list the `/`. So from here I avoided to put user flag and root flag because you can read anything with this misconfiguration on nfs-server. ## Exploitation The same article but different page here [resource](https://www.netexec.wiki/nfs-protocol/download-and-upload-files) explain very well about how you can get remote access apart from reading files, good enough netexec has mechanism of uploading and downloading files, so we can download passwd and shadow file and edit it and then upload them back and then get a remote access. NB: like this. `Step 1: Download shadow file and passwd file` ![picture7](https://hackmd.io/_uploads/rJvXdawmWx.png) We have successfully download the files. another step here was to add our user, no need of editing root user hash/password(unproffesional). `Step 2: Update the shadow and passwd file with our user and password hash` ![picture8](https://hackmd.io/_uploads/S1GoFpP7-e.png) After creating our new user and add him to the shadow file and passwd file we need to upload this user back to the remote server and alter the configurations. `Step 3: Uploading the altered config back to the remote server` From here we can use `--put-file` command to alter the shadow file and passwd file from out files we updated earlier as follows. ![picture9](https://hackmd.io/_uploads/S1uA5TP7be.png) `Step 4: login with ssh` To confirm that the everything works perfect now, we can login, remember earlier we saw port 22(ssh) running?. Yes that was a goldmine mistake we can use it to login from here. creds ``` username:test password:newpass ``` ![picture10](https://hackmd.io/_uploads/ByssopvmZx.png) ![picture11](https://hackmd.io/_uploads/B1xnoaw7-g.png) With this user you can read any file of your choice as a normal user but even from root location, but you can't write with this user from root location. As i sayed earlier no need of writing/changing configuration it's unncessary. ![](https://media.giphy.com/media/v1.Y2lkPWVjZjA1ZTQ3MGF4bzY1aWJwMmNodGM2ZnB2Mm0yeHZuc3R5Z3VhZTc5eWk4d2hhZiZlcD12MV9naWZzX3NlYXJjaCZjdD1n/HwOmxUKFFNEwU/giphy.gif) ### Finding and Reading flag. #### checking running services Quick enumeration can start with checking running services ![picture13](https://hackmd.io/_uploads/BJfHRaP7-l.png) Yes this port was running locally and not accessible outside, no need of forwading it outside. #### enumeration port 8080 Initial analysis with this port start by querying the headers of the application. We can conclude that this application is running a simple python application that will just print the flag when you query it. ![picture14](https://hackmd.io/_uploads/SJTW1CD7-e.png) flag: `urchinsec{st0p_m0unting_&_g3t_Sh3ll}` ## CONLUSION This was one of the simple quickest challenge for me to make, Yaah i know it might sound hard for a CTF players at first point to get a remote access from this stage if no research is made that's why i rated it hard but it is total basics. Hope you enjoyed the idea `erick alex`. ![](https://media.giphy.com/media/v1.Y2lkPWVjZjA1ZTQ3YWJhNThjNzU5c3praHZtMmZ1Yjd5NGt4bTk2eHhmcDF4Z24yNjIzMyZlcD12MV9naWZzX3NlYXJjaCZjdD1n/oyzw5TRvDPMlLi0TkE/giphy.gif)