[Hacking series] – Vulnix

Written by  on June 18, 2015 

Code name: Vulnix

Webpage: http://www.rebootuser.com/?p=933

VM Download: http://download.vulnhub.com/hacklab/Vulnix.7z

Challange: Get root on the system

After booting the VM we can use nmap to scan its ports

# nmap -Pn


We can also guess its operating system

# nmap -O


As a lot of ports were discovered, we can try to gather as much information as we can about the running services and the box.  For example, we can use the smtp service on the remote box to guess some users on the remote system. We can use a metasploit module(smtp_enum) to do that:

# msfconsole

use auxiliary/scanner/smtp/smtp_enum


And then we can run that module and wait for some users



Nice, an interesting user was found. We found an user called “user” we can get more information about that username using the finger service(running on the server, as we discovered with nmap)

# finger user@


So user seems to be a valid user on the remote system, we can try to find its password with hydra

# hydra -t 5 -V -f -l user -P dict.txt ssh


And a valid password was found “letmein” lelz. So let’s login


We are in, if we can do sudo su it’s over


Better luck next time, well let’s see what  we can do  from now.

After a few minutes searching, we found that there is another user on th e box called vulnix, and that user shares its home folder via NFS


We can perform a litle trick here. First of all let’s add a user called vulnix on our local system with the same uid as the remote user called vulnix

# useradd vulnix -u 2008


Now we can create a dir called vulnix on our /mnt and mount the remote share, then login with the our vulnix user and browse that directory


We are inside the folder, assuming that the folder is actually the home folder of the vulnix user, we can use ssh-keygen to generate a ssh key and then store that key inside the .ssh of the vulnix user home folder. Then we will be able to login to vulnix without password

# ssh-keygen


After generating the key with ssh-keygen we copy it to .shh on the remote server


Then we can simply login using ssh


Now we are in with the user vulnix. After researching we discovered that we can run sudoedit and edit the /etc/exports file, by editing that file we can add  “no_root_squash” to the actual export, by adding that we will be able to browse /home/vulnix on the remote server as local(kali) root.

So we edit that file


And then, and after restarting the box(just for restarting the nfs service!). We move to that dir using our local root user. Why are we doing that? simple, by doing this we can copy a bash shell inside the remote /home/vulnix and use chmod to make that file executable as the root user(always!)


Then the next step will be…


Exactly. We can use our ssh login to run that shell and get root

Game over Vulnix P-)



Category : hacking series

Leave a Reply