Elf Applications

Exploiting Application Layer Services

Attacking services always starts with enumeration because we need to understand what services are running and where are they running to begin attacking them. To do that we can use nmap. Some services run on specific ports which makes them easy to identify.

Once we have identified a service we can attack it in the most common ways:

• Exploiting common misconfigurations

• Using publicly available exploits

Sometimes we can find a service version that has a public exploit online, but that should be used as last resort. Instead, we should try to find ways to exploit common misconfigurations.

FTP

NFS

MySQL

In this challenge we are expected to exploit these three services misconfigurations.

First we need to identify them. To do that we do an nmap scan.

We managed to identify the three services on port 21(FTP), port 2049(NFS) and port 3306(MySQL).

This first question has a hint that says "NFS". So we will start by exploiting NFS misconfigurations.

We know NFS is running by looking at the nmap scan, so the next step will be to see if any shares are available:

We can see that we have /opt/files displayed as a share that we can export, so now we can try to mount the share on our system and see its content:

Inside the share we have creds.txt and the answer to our first question. Now we just need to umount it:

Its time to exploit FTP misconfigurations. With FTP we can try to anonymously login, and once in we can download our upload any files, as well as see the contents of the FTP share.

After getting access with anonymous login to the ftp server, we can see the file on port 21 which is the answer to the second question and contains the credentials to login to the mysql database.

Having the mysql credentials we can try to remotely connect to it and enumerate the database to find the password.