Skip to content

How to get on the Box

sudo nmap -p- --min-rate 10000 -T5 -sS -oA nmap/allports -v $IP

This will run nmap on all ports with a very high rate (only recommended for training boxes), runs in very aggressive move (-T5 waits 0.3 seconds, -T0 waits 5 minutes, -T3 is default), runs in SynAck scan (-sS SynAck, -sT default normal connection) adds verbose output (-v) and writes the result in all formats (-oA) to nmap/allports.

sudo nmap -sC -vV -oA nmap/$BOXNAME -p $OPEN,$PORTS -v $IP

This will run nmap on the open ports like 22,80 with sC (run default scripts, list here), sV (enumerate versions), adds verbose output (-v) and writes the result in all formats (-oA) to nmap/$BOXNAME.

If SMB was found (139,445) an enum4linux $IP -a scan could reveal more information. Enumerate smb shares with nmap:

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse $IP

List shares

smbclient -U Anonymous -L $IP

Access the share without mount:

smbclient //$IP/share -U Anonymous

For NFS this is the way to go: Easy way to show all mounts of a host: showmount -e $IP Enumerate nfs shares with nmap:

# rpcbind port required
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount $IP
To mount a nfs share:
mkdir dir
sudo mount -t nfs $IP:/share ./dir -nolock

Check if the victim can access the attacker: attacker: sudo tcpdump ip proto \\icmp -i tun0 victim: ping $IP -c 1

Next step

On the box