Sunday, September 2, 2018

Vulnix


VULNIX

- Layout for this exercise:




1 - INTRODUCTION


- The goal of this exercise is to develop a hacking process for the vulnerable machine Vulnix.

- According to Vulnix's author there is a trophy hidden into the /root folder.

- Vulnix can be downloaded from here:

https://www.vulnhub.com/entry/hacklab-vulnix,48/


- Once downloaded and extracted with VMware:





2 - ENUMERATION

- Using netdiscover to find the vulnerable machine's IP:






- Scanning with Nmap we find that there are a lot of open services available:





2.1 - Enumerating rpcbind

rpcbind maps RPC services to the ports on which they listen, redirecting a client to the proper port number so it can communicate with the requested service.

rpcinfo with option -p tells that there is an NFS (Network File System) server running on Vulnix at port 2049:





2.2 - Enumerating NFS


- The NFS protocol is developed for sharing files an folders between systems, so a local file system is mounted over a network and remote hosts can interact as if they are mounted locally on the same system. 


showmount shows mount information for the NFS server, with option -e for the export list: 



- So the NFS service is available to share files located at /home/vulnix, what can be accessed from any host.


- Bye the way, we also learn the existence of a user called vulnix.


2.3 - Enumerating SMTP

- Trying to find some info using Metasploit against the SMTP server:






- Same thing with telnet:





2.4 - Enumerating finger

- At port 79 the service finger gives information about the users, for instance:




 

 

- Let's notice that all users have got /bin/bash as default shell.



3 - EXPLOITATION

3.1 - Low privilege shell with SSH

- Let's launch Hydra against the SSH service with a lists of users and the wordlist rockyou.txt for passwords:




 

- Now, we can successfully log into Vulnix using the credentials user:letmein






- However this is a low privilege shell and we cannot access the vulnix home shared folder:


 

- Neither user is a sudoer:





3.2 - User vulnix


- Let's find more info about the user vulnix, for instance his UID is 2008:




- Now, let's mount at our local machine /mnt/vulnix the remote /home/vulnix:

 

- Also, at Kali let's create a new user called vulnix with the same UID 2008 than the remote one:




- Moreover, let's generate a public/private RSA key pair, with the future goal of trying to log in with SSH into the Vulnix vulnerable machine as the user vulnix:

 

- Let's notice that  the public key has been saved to /root/.ssh/id_rsa.pub




- Copying the newly created public key id_rsa.pub to the remote /tmp folder:




- Assigning ownership of the key to user vulnix:

 

- Creating a new folder .ssh at the remote machine:





- Exporting content of the key to the authorized_keys file, which specifies the SSH keys that can be used for logging into the user account for which the file is configured, vulnix in our case:




- Now, we can log into Vulnix as user vulnix without a password, because we have inserted as authorized his public key:


 


4 - PRIVILEGE ESCALATION

4.1 - no_root_squash

- Let's start our Privilege Escalation process by checking what are vulnix user's sudoer permissions:



- It seems that vulnix can run the command sudoedit  /etc/exports as a root without using any password.

- Checking /etc/exports we notice that /home/vulnix is assigned with root_squash, meaning that the client cannot run commands as root at the remote server when using the NFS services:



- However, because user vulnix has got /etc/exports "sudoediting" privileges this can easily be changed to no_root_squash:

 
 

- Now, to make theses changes effective a reboot of Vulnix is needed so that NFS services restart, let's do it manually:

 


4.2 - Creating a root_shell


- Mounting again the shared folder:

 


- SSH-ing again at vulnix:




- At the remote machine, copying his local bash to a new file victim_shell:




- We immediately have it shared at the local machine:

 


- As expected, victim_shell has got only vulnix user's permissions:

 

- Copying content to a new file root_shell:


 
- Setting root privileges for root_shell:




- Comparing permissions for both shells:




 

- Executing root_shell with option -p (ensures that the original file's permissions and credentials are kept) we eventually get a root shell available at the vulnerable machine Vulnix:

 



5 - CAPTURING THE FLAG

- Going to the root folder we find the trophy: