The machine

This machine is one of the machines from the OSCP preparation guide I received from one of my teachers. This machine is the next on list and it can be downloaded on: vulnhub

The challenge

The challenge or goal of the machine lists the following:

The goal; boot up, find the IP, hack away and obtain the trophy hidden away in /root by any means you wish – excluding the actual hacking of the vmdk

https://www.vulnhub.com/entry/hacklab-vulnix,48/

Walk-through

The walk-through will be divided in a couple sections following the standard penetration testing process: Information gathering –> Exploitation –> Post exploitation. It could be divided into more steps, but for complicity we do these three.

Information gathering

To start of we will find the IP address of the machine with nmap since netdiscover takes a while on my VMware. We will use the command sudo nmap -sn 192.168.0.0/24 for this. The vulnerable machine has the IP 192.168.0.129.

So to start of the machine we scan the machine for open ports with nmap. We will do two scans; sudo nmap -sV -sC 192.168.21.129 -oA nmap and sudo nmap -sV -sC -p- 192.168.21.129 -oA fullnmap. We use these parameters for;
-sV service and version enumeration,
-sC is for basic script usage.
-p- to do a full port scan.
-oA to save all output to a couple different files.

The nmap results are;

kadeeli@Pentest:~$ sudo nmap -sV -sC 192.168.21.129 -oA nmap                                                                                                                        
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-04 02:53 EST                                                                                                                     
Stats: 0:04:30 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan                                                                                                          
NSE Timing: About 96.00% done; ETC: 02:58 (0:00:04 remaining)                                                                                                                       
Nmap scan report for 192.168.21.129                                                                                                                                                 
Host is up (0.00090s latency).                                                                                                                                                      
Not shown: 988 closed ports                                                                                                                                                         
PORT     STATE SERVICE    VERSION                                                                                                                                                   
22/tcp   open  ssh        OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)                                                                                                
| ssh-hostkey:                                                                                                                                                                      
|   1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA)                                                                                                                      
|   2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA)                                                                                                                      
|_  256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA)                                                                                                                     
25/tcp   open  smtp       Postfix smtpd                                                                                                                                             
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,                                                                       
|_ssl-date: 2020-03-04T07:56:49+00:00; +3s from scanner time.
79/tcp   open  finger     Linux fingerd                                                                                                                                             
|_finger: No one logged on.\x0D                                                                                                                                                     
110/tcp  open  pop3?                                                                                                                                                                
|_ssl-date: 2020-03-04T07:56:49+00:00; +2s from scanner time.                                                                                                                       
111/tcp  open  rpcbind    2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100003  2,3,4       2049/udp   nfs
|   100003  2,3,4       2049/udp6  nfs
|   100005  1,2,3      41699/tcp6  mountd
|   100005  1,2,3      42526/tcp   mountd
|   100005  1,2,3      54269/udp6  mountd
|   100005  1,2,3      55371/udp   mountd
|   100021  1,3,4      33851/tcp   nlockmgr
|   100021  1,3,4      37863/udp6  nlockmgr
|   100021  1,3,4      55935/udp   nlockmgr
|   100021  1,3,4      58084/tcp6  nlockmgr
|   100024  1          40992/tcp6  status
|   100024  1          47076/tcp   status
|   100024  1          53594/udp6  status
|   100024  1          59671/udp   status
|   100227  2,3         2049/tcp   nfs_acl
|   100227  2,3         2049/tcp6  nfs_acl
|   100227  2,3         2049/udp   nfs_acl
|_  100227  2,3         2049/udp6  nfs_acl
143/tcp  open  imap       Dovecot imapd
|_ssl-date: 2020-03-04T07:56:49+00:00; +3s from scanner time.
512/tcp  open  exec       netkit-rsh rexecd
513/tcp  open  login      OpenBSD or Solaris rlogind
514/tcp  open  tcpwrapped
993/tcp  open  ssl/imaps?
|_ssl-date: 2020-03-04T07:56:48+00:00; +2s from scanner time.
995/tcp  open  ssl/pop3s?
|_ssl-date: 2020-03-04T07:56:48+00:00; +2s from scanner time.
2049/tcp open  nfs_acl    2-3 (RPC #100227)
MAC Address: 00:0C:29:AB:64:0D (VMware)
Service Info: Host:  vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel
33851/tcp open  nlockmgr   1-4 (RPC #100021)
40584/tcp open  mountd     1-3 (RPC #100005)
41399/tcp open  mountd     1-3 (RPC #100005)
42526/tcp open  mountd     1-3 (RPC #100005)
47076/tcp open  status     1 (RPC #100024)

So we got a decent amount of ports, we got port 22 for SSH, port 25 for SMTP (mailserver), Port 79 finger (No idea what this is), port 110 Pop3 (mailserver), port 111 with some active mounts and port 143 Imap. Then port 512 to 514 for something I dont recognise.

RPC
Lets see what the RPC mount has to offer. We can see the info with rpcinfo -p, but we already got these with nmap. We can see the available mounts with showmount -e 192.168.29.129 and then we can mount it with the mount command.

But we are not allowed to enter this directory:

I tried to make myself nobody but I still got the message permission denied.

SSH
No relevant banner seen ssh 192.168.21.129

SMTP
I had no idea how to test this so I googled some enumeration guides. We can enumerate user with the tool smtp-user-enum which can be installed with apt install. This script can enumerate users. We will use a list of users from seclist. /opt/SecLists/Usernames/xato-net-10-million-usernames.txt. Our command = smtp-user-enum -M VRFY -U /opt/SecLists/Usernames/xato-net-10-million-usernames.txt -t 192.168.21.129

-M VRFY is the attack method
-U /opt/…. is the username wordlist
-t 192.168.21.129 is the target

We found the following users:

Exploitation

SSH Bruteforce
We got some users. Lets try to bruteforce these with hydra. We use the command hydra -l user -P /usr/share/wordlists/rockyou.txt ssh://192.168.21.129
-l user to select the user user
-P /usr/share/wordlist/rockyou.txt to select the rockyou wordlist
ssh://192.168.21.129 to bruteforce the ssh login
-t 4 to only give it 4 threads since hydra told me that SSH doesn’t like multiple connection tries normally.

It was running a bit to long so I used the darknet top 100 and top1000 list from the Seclists github repositorie.

Lets try to login with SSH and it worked!

Privilege escalation

I looked around for a while and found that the dovecot service is running as root. But I could not find a exploit or any interesting stuff in the config files.

So after looking around and finding nothing, I thought maybe we have to go back and test the NFS share /home/vulnix. This is the home directory from vulnix. We can get his ID and everything. Maybe we just have to add the vulnix user to our kali machine, use the ID from the /etc/passwd file from the vulnix server and we may have access. And yes we did:

But there is nothing of interest in the directory. Hmm. However I was able to change the permissions of the home directory:

And we got access to the directory on the user user now. But still there is nothing in here. But what if we create a bash script with a SUID bit so that it gives us the shell of the vulnix user? This did not work, no idea why but it didn’t want to work. Probably because it doesn’t work this way with SUID bits.

So I tried the following: 1. Generate SSH keys, 2. Put the public key into the mounted home directory and 3. Login. This went a bit different since I fucked around with the file permissions. But we had to 1. Generate the SSH key, 2. Make a .ssh directory in the mounted folder. 3. Echo the public key into the .ssh directory as the filename authorized_keys and 4. Set the file permissions of .ssh to 700 and authorized keys to 644.

and now we can SSH into the machine:

This user can run the sudoedit command on the /etc/exports file. But what is this file?

So I googled root squats and it gave us a explanation of how we can misuse this. It aswell gave us a example on how to disable this. We can change root_squash to no_root_squash. This can be done with the sudoedit command.

Now we have to restart the vulnix server as described in the post earlier and remount it and then we can probably run our SUID bits /bin/bash? We can remount it with sudo mount 192.168.21.129:/home/vulnix /mnt/user. I didn’t get it to work, I should go back to the machine on a later date since I’m pretty burned.

So after trying again on my own computer, it still didn’t work. I keep getting the message cannot execute binary file after compiling c code or copying my own /bin/bash. So I checked the challenge again and we should get the flag in /root. I could not access this as the vulnix user, but I can make a share with the sudoedit /etc/exports command. So I added the following:

Restarted vunix, mounted the file system and we are in!

However we had to switch to the root user:

Flag

Leave a Reply

Your email address will not be published. Required fields are marked *