HackLAB: Vulnix

HackLAB: Vulnix a vulnerable machine found on the NetSecFocus Trophy Room list which I have been using as preparation for the OSCP. Below is a walkthrough to compromise this machine.

First, after downloading and importing the machine into VMware, I had to figure out the IP address of the machine. I used netdiscover -i eth0 until I came across the IP of this machine.

Vulnix netdiscover

Next, I ran threader3000 to let is enumerate the open ports. I also let it run it’s recommended nmap scan.

Vulnix threader3000

Vulnix nmap 1

Vulnix nmap 2

As you can see, there were several ports open. I looked into seeing how I could exploit SMTP first. It appears we can run VRFY on SMTP, which we can use to enumerate users. I ran smtp-user-enum -M VRFY -U /usr/share/wordlists/smtp-usernames.txt -t [machine ip] to start enumeration. I used this list of SMTP usernames for enumeration.

Vulnix smpt-user-enum

As you can tell, several users came back. I next used finger and was able to determine two users root and user. This was done by running finger [username]@[machine ip]

Vulnix finger

At this point, I had a couple of usernames to go off of, so I decided to attempt to brute force the user SSH credentials (as I felt the root ones were likely secure as it would make this box pointless otherwise). I ran hydra -l user -P /usr/share/wordlists/rockyou.txt [machine ip] -t 4 ssh and after about 15 minutes the user account password was cracked as shown below.

Vulnix hydra ssh brute force

I tried sudo -l, but user was not able to run sudo commands. I next ran cd /home followed by ls -al to enumerate the home users folder, and there was another user directory present, vulnix. I ran id vulnix to attain more information about its user id.

Vulnix user enumeration

Next, I decided to attempt to remotely connect to the victim PC over NFS. In order to do so, I create da vulnix user on my attacker machine with the same ID # with useradd -u 2008 vulnix. I then created a folder to mount the target machine to with mkdir /tmp/vulnix. Finally, I mounted the /home/vulnix directory on the target machine to /tmp/vulnix on my attacker machine with mount -t nfs [machine ip]:/home/vulnix /tmp/vulnix -nolock.

I then ran cd /tmp/vulnix followed by ls -al and I was able to see the vulnix user’s home directory

Vulnix nfs mount

You can use SSH to connect two ways, with a password or with a certificate. I decided to generate a new set of SSH keys on my attacker pc as root with ssh-keygen after opening a new terminal window.

Vulnix root ssh-keygen

Next, I ran cd /root/.ssh followed by ls to ensure the files were generated. I then ran cat id_rsa.pub to get the contents for root’s public key, which I copied.

Vulnix public RSA key

Back on my victim session over NFS, I ran mkdir .ssh followed by cd .ssh and finally touch authorized_keys. This was going to be the file I pasted in my root public SSH key to.

Vulnix vulnix .ssh folder

In order to do so, I ran vi authorized_keys and pasted in the key value. Once completed, I pressed escape, and entered :wq! to write to the authorized_keys file and quit vi.

Vulnix vi authorized_keys

Now, back on my attacker PC, I ran ssh vulnix@[machine ip]. I was now connected as the vulnix user!

Vulnix ssh vulnix

I ran sudo -l, which showed that vulnix could run sudoedit /etc/exports as root with no password.

Vulnix vulnix sudo -l

This showed that the /home/vulnix directory had root_squash set, which disallows mounting NFS as root. I modified this to no_root_squash as shown below and added in /root *(rw,no_root_squash) as well, which should allow access to the /root folder.

Vulnix /etc/exports modification

Next, I rebooted the system in VMWare as recommended in the official creator’s writeup (as I couldn’t find another way to reboot the system). This allows the NFS changes to take place shown above. Next, I ran umount /tmp/vulnix to unmount the /home/vulnix nfs share and then ran mount -t nfs [machine ip]:/root /tmp/vulnix to mount the /root folder to the share. I then ran cd /tmp/vulnix followed by ls and the flag file, trophy.txt is present. I finished this box by running cat trophy.txt.