March 24, 2017 Karn Ganeshen

Metasploitable – Exploiting nfs

root@kali:~# nmap -sV -n -p 2049 -sC


We now need to identify the directories available for export / mounting. Use the showmount command:

Let’s create a mount point and mount (root/ of the target.

Successfully mounted.!

Well, let’s get the shadow file.

We can start cracking password hashes offline. Meanwhile, let’s get SSH keys first for quick & easy access.

1. Get msfadmin’s private key

2. Add the msfadmin’s public key to known_hosts in /root/.ssh/ file.

3. Use msfadmin’s private key and get direct ssh access as root.

Note that we can also simply add our own public key to known_hosts file and SSH in as root. However, from a pentest / red team perspective, this can raise a flag. It is better to (re-)use existing user’s (msfadmin) key to avoid getting detected.


Tagged: ,

Leave a Reply

Your email address will not be published. Required fields are marked *