Sunday, September 2, 2018
Vulnix
VULNIX
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Vulnix.
- According to Vulnix's author there is a trophy hidden into the /root folder.
- Vulnix can be downloaded from here:
https://www.vulnhub.com/entry/hacklab-vulnix,48/
- Once downloaded and extracted with VMware:
2 - ENUMERATION
- Using netdiscover to find the vulnerable machine's IP:
- Scanning with Nmap we find that there are a lot of open services available:
2.1 - Enumerating rpcbind
- rpcbind maps RPC services to the ports on which they listen, redirecting a client to the proper port number so it can communicate with the requested service.
- rpcinfo with option -p tells that there is an NFS (Network File System) server running on Vulnix at port 2049:
2.2 - Enumerating NFS
- The NFS protocol is developed for sharing files an folders between systems, so a local file system is mounted over a network and remote hosts can interact as if they are mounted locally on the same system.
- showmount shows mount information for the NFS server, with option -e for the export list:
- So the NFS service is available to share files located at /home/vulnix, what can be accessed from any host.
- Bye the way, we also learn the existence of a user called vulnix.
2.3 - Enumerating SMTP
- Trying to find some info using Metasploit against the SMTP server:
- Same thing with telnet:
2.4 - Enumerating finger
- At port 79 the service finger gives information about the users, for instance:
- Let's notice that all users have got /bin/bash as default shell.
3 - EXPLOITATION
3.1 - Low privilege shell with SSH
- Let's launch Hydra against the SSH service with a lists of users and the wordlist rockyou.txt for passwords:
- Now, we can successfully log into Vulnix using the credentials user:letmein
- However this is a low privilege shell and we cannot access the vulnix home shared folder:
- Neither user is a sudoer:
3.2 - User vulnix
- Let's find more info about the user vulnix, for instance his UID is 2008:
- Now, let's mount at our local machine /mnt/vulnix the remote /home/vulnix:
- Also, at Kali let's create a new user called vulnix with the same UID 2008 than the remote one:
- Moreover, let's generate a public/private RSA key pair, with the future goal of trying to log in with SSH into the Vulnix vulnerable machine as the user vulnix:
- Let's notice that the public key has been saved to /root/.ssh/id_rsa.pub
- Copying the newly created public key id_rsa.pub to the remote /tmp folder:
- Assigning ownership of the key to user vulnix:
- Creating a new folder .ssh at the remote machine:
- Exporting content of the key to the authorized_keys file, which specifies the SSH keys that can be used for logging into the user account for which the file is configured, vulnix in our case:
- Now, we can log into Vulnix as user vulnix without a password, because we have inserted as authorized his public key:
4 - PRIVILEGE ESCALATION
4.1 - no_root_squash
- Let's start our Privilege Escalation process by checking what are vulnix user's sudoer permissions:
- It seems that vulnix can run the command sudoedit /etc/exports as a root without using any password.
- Checking /etc/exports we notice that /home/vulnix is assigned with root_squash, meaning that the client cannot run commands as root at the remote server when using the NFS services:
- However, because user vulnix has got /etc/exports "sudoediting" privileges this can easily be changed to no_root_squash:
- Now, to make theses changes effective a reboot of Vulnix is needed so that NFS services restart, let's do it manually:
4.2 - Creating a root_shell
- Mounting again the shared folder:
- SSH-ing again at vulnix:
- At the remote machine, copying his local bash to a new file victim_shell:
- We immediately have it shared at the local machine:
- As expected, victim_shell has got only vulnix user's permissions:
- Copying content to a new file root_shell:
- Setting root privileges for root_shell:
- Comparing permissions for both shells:
- Executing root_shell with option -p (ensures that the original file's permissions and credentials are kept) we eventually get a root shell available at the vulnerable machine Vulnix:
5 - CAPTURING THE FLAG
- Going to the root folder we find the trophy: