Vulnix Walkthrough
Here we have a vulnerable Linux host with configuration weaknesses rather than purposely vulnerable software versions at the time of release.
The host is based upon Ubuntu Server 12.04 and is fully patched as of early September 2012
The goal; boot up, find the IP, hack away and obtain the trophy hidden away in /root by any means necessary, excluding the actual hacking of the vmdk.
VMs IP is: 192.168.1.72
Enumeration is an important part of pentesting in this step we'll be enumeration services running on victim as well as users, shares, RPC info, It is not necessary to scan all ports, top 1000 are usually good for starting, In this all ports will be scanned for TCP services.
Notable services identified are:
Port 22: SSH
Port 25: SMTP
Port 79: Finger
Port 110: POP3
Port 111: RPCbind
Port 143: IMAP
Port 512: RSH (Remote shell)
Port 513: RLogin
Port 514: shell
We were able to verify that the user vulnix exists, verifying a non existing user shows us an error message. It might be possible to enumerate more users using this method. For that we'll use the smtpuser-enum script found in Kali.
We can use /usr/share/metasploit-framework/data/wordlists/unix_users.txt which is provided in the metasploit framework.
Username user is not a common one
Let's finger against the two usernames we found (vulnix and user).
Both users are found to be valid.
The mounted share cannot be accessed, because the root_squash flag is set. We can safely assume if we have a user named vulnix with the same UID we'll be able to access it.
We can now ssh into the victim's machine as user user but there's not much to do unfortunately. GCC isn't installed so a local rootkit won't work since they're written in C.
If you navigate to /home you'll notice the shared directory we couldn't access earlier. Obtaining UID for vulnix and creating temporary user on the system and accessing it seems plausible.
Let's generate keys for SSH so we can login into vulnix.
Steps:
1. Create ssh key pair by running ssh-keygen
2. Create .ssh directory on the mounted share (/home/vulnix/.ssh) 3. Copy the content of the public key to /home/vulnix/.ssh
4. SSH into vulnix@<victim_ip>!
It was observed that it is possible to edit /etc/exports which makes it possible to can add an entry for the entire directory and do anything.
But a problem aroused as it was required to restart for changes to take place but it isn’t possible to reboot with current privileges it’s not possible to restart.
Also due to the fact that there's a secure_path set, we can't manipulate the PATH variable (except by running sudo -e which we can't).
Let's edit the file and update /home/vulnix so we're able to Restart the VM and remount the shared directory. We can upload a local exploit to gain root, or just copy /bin/bash and give it setuid permissions.
We'll run bash with -p flag to keep the original file's permissions.
Finally root privileges are acquired.
The host is based upon Ubuntu Server 12.04 and is fully patched as of early September 2012
The goal; boot up, find the IP, hack away and obtain the trophy hidden away in /root by any means necessary, excluding the actual hacking of the vmdk.
Step 01: Get VM's IP
An easy way for this is running netdiscover on the subnet your machine is on. This could fail due to various reasons, so nmap with -F -Pn for the subnet could be a good alternative.
VMs IP is: 192.168.1.72
Step 02: Enumeration
Enumeration is an important part of pentesting in this step we'll be enumeration services running on victim as well as users, shares, RPC info, It is not necessary to scan all ports, top 1000 are usually good for starting, In this all ports will be scanned for TCP services.
Notable services identified are:
Port 22: SSH
Port 25: SMTP
Port 79: Finger
Port 110: POP3
Port 111: RPCbind
Port 143: IMAP
Port 512: RSH (Remote shell)
Port 513: RLogin
Port 514: shell
Step 03: Users enumeration
We have SMTP service running which opens up the possibility of using VRFY command if it's not disabled.
We were able to verify that the user vulnix exists, verifying a non existing user shows us an error message. It might be possible to enumerate more users using this method. For that we'll use the smtpuser-enum script found in Kali.
We can use /usr/share/metasploit-framework/data/wordlists/unix_users.txt which is provided in the metasploit framework.
Username user is not a common one
Let's finger against the two usernames we found (vulnix and user).
Both users are found to be valid.
Step 04: NFS enumeration
In port 2069 NFS services are running and some valuable data could be obtained, It is necessary to install nfs-common package if it doesn't exist.The mounted share cannot be accessed, because the root_squash flag is set. We can safely assume if we have a user named vulnix with the same UID we'll be able to access it.
Step 05: Gaining Access
There were services that wasn’t properly explored.
Bruteforcing SSH
Running Hydra against either user or vulnix is an option with rockyou wordlist, although this will take a very long time (unless you try user 'user' first).
Privilege escalation (first stage)
We can now ssh into the victim's machine as user user but there's not much to do unfortunately. GCC isn't installed so a local rootkit won't work since they're written in C.If you navigate to /home you'll notice the shared directory we couldn't access earlier. Obtaining UID for vulnix and creating temporary user on the system and accessing it seems plausible.
Let's generate keys for SSH so we can login into vulnix.
Steps:
1. Create ssh key pair by running ssh-keygen
2. Create .ssh directory on the mounted share (/home/vulnix/.ssh) 3. Copy the content of the public key to /home/vulnix/.ssh
4. SSH into vulnix@<victim_ip>!
Privilege Escalation second stage : root
It was observed that it is possible to edit /etc/exports which makes it possible to can add an entry for the entire directory and do anything.
But a problem aroused as it was required to restart for changes to take place but it isn’t possible to reboot with current privileges it’s not possible to restart.
Also due to the fact that there's a secure_path set, we can't manipulate the PATH variable (except by running sudo -e which we can't).
Let's edit the file and update /home/vulnix so we're able to Restart the VM and remount the shared directory. We can upload a local exploit to gain root, or just copy /bin/bash and give it setuid permissions.
We'll run bash with -p flag to keep the original file's permissions.
Finally root privileges are acquired.
Comments
Post a Comment