[Hacking series] – Vulnix

Written by  on June 18, 2015 

Code name: Vulnix

Webpage: http://www.rebootuser.com/?p=933

VM Download: http://download.vulnhub.com/hacklab/Vulnix.7z

Challange: Get root on the system

After booting the VM we can use nmap to scan its ports

# nmap -Pn 192.168.11.8

nmap

We can also guess its operating system

# nmap -O 192.168.11.8

nmap_OS

As a lot of ports were discovered, we can try to gather as much information as we can about the running services and the box.  For example, we can use the smtp service on the remote box to guess some users on the remote system. We can use a metasploit module(smtp_enum) to do that:

# msfconsole

use auxiliary/scanner/smtp/smtp_enum

smtp_enum_1

And then we can run that module and wait for some users

run

smtp_enum_2

Nice, an interesting user was found. We found an user called “user” we can get more information about that username using the finger service(running on the server, as we discovered with nmap)

# finger user@192.168.11.8

finger_user

So user seems to be a valid user on the remote system, we can try to find its password with hydra

# hydra -t 5 -V -f -l user -P dict.txt 192.168.11.8 ssh

ssh_cracked

And a valid password was found “letmein” lelz. So let’s login

ssh_letmein

We are in, if we can do sudo su it’s over

ssh_notsdo

Better luck next time, well let’s see what  we can do  from now.

After a few minutes searching, we found that there is another user on th e box called vulnix, and that user shares its home folder via NFS

rpc_showmount

We can perform a litle trick here. First of all let’s add a user called vulnix on our local system with the same uid as the remote user called vulnix

# useradd vulnix -u 2008

useradd_vulnix

Now we can create a dir called vulnix on our /mnt and mount the remote share, then login with the our vulnix user and browse that directory

su_vulnix

We are inside the folder, assuming that the folder is actually the home folder of the vulnix user, we can use ssh-keygen to generate a ssh key and then store that key inside the .ssh of the vulnix user home folder. Then we will be able to login to vulnix without password

# ssh-keygen

ssh_keygen

After generating the key with ssh-keygen we copy it to .shh on the remote server

authorized_keys

Then we can simply login using ssh

vulnix_login

Now we are in with the user vulnix. After researching we discovered that we can run sudoedit and edit the /etc/exports file, by editing that file we can add  “no_root_squash” to the actual export, by adding that we will be able to browse /home/vulnix on the remote server as local(kali) root.

So we edit that file

no_root_squash

And then, and after restarting the box(just for restarting the nfs service!). We move to that dir using our local root user. Why are we doing that? simple, by doing this we can copy a bash shell inside the remote /home/vulnix and use chmod to make that file executable as the root user(always!)

cp_bin_bash

Then the next step will be…

bash_root

Exactly. We can use our ssh login to run that shell and get root

Game over Vulnix P-)

 

 

Category : hacking series

Leave a Reply

Your email address will not be published. Required fields are marked *