vulnix solution walkthrough

This article is a walkthrough on vulnix CTF challenge. You can get this on Vulnhub website: here is the link. Vulnix is a specially made vulnerable virtual machine of SSH and NFS [Network file system]. Vulnix will guide you on how false configuration of NFS can be used to escalate privileges on the system.

Let’s get to it!

  1. Scanning the Target
    1. nmap 192.168.0.1/24 — to get the ip address of vulnix machine. — My vulnix ip address is 192.168.0.107 and then
    2. nmap -sV 192.168.0.107vulnix solution walkthrough
  2. Found a lot of ports open on this Vulnerable Virtual Machine. SSH and SMTP versions are not vulnerable.But can be used to bruteforce. Got Fingerd protocol running on 79. So I fired up msfconsole to scan for the list of users. I have used default unix_users.txt list in Kali.vulnix solution walkthrough
    Using auxiliary /scanner/finger/finger_users.

    vulnix solution walkthrough4
  3. After Getting the list of users using finger, I made a file containing all these users and ran hydra to bruteforce the ssh login if I could find any, because I had no clue of what to do next.
    I have used fasttrack.txt in kali as password file and vulnixuser.txt is the users file that I have created containing all the users, I have found. I have used fasttrack.txt file because it will be faster, the file isn’t that large.
    vulnix solution walkthrough
    Found 1 match for user user with password letmein.
    vulnix solution walkthrough
  4. So I have logged in user via SSH. There is nothing much that you will get but I saw vulnix user in /etc/passwd.
    vulnix solution walkthrough 22
    vulnix solution walkthrough7
    I have bruteforced this user too. But found nothing!
  5. Got no where to go after this, so I went back to the nmap scan. This time I scanned it using -A flag, to get as much info I can. and I found rpc protocol. rpcinfo suggests that there is a file system which can be available. So I showmount the vulnix ip address.vulnix solution walkthrough5***My vulnix IP is 192.168.0.106 here. It got changed. but it is still the vulnix system.
    Let’s mount this filesystem on our system.
    I created a directory on my system using mkdir. command: mkdir /root/Desktop/vulnix
    vulnix solution walkthrough6
    After creating directory, when I mounted the /home/vulnix using command:
    mount -t nfs 192.168.0.106:/home/vulnix /root/Desktop/vulnix
    It gave me an error of permission denied.
  6. I need permission that vulnix user have to access the home directory of vulnix machine. To make this happen, I can create a user in my own system with the permission same as the vulnix user in vulnix VM. vulnix solution walkthrough8
  7. Once creating user vulnix in my own system, I can go to the /root/Desktop/vulnix directory that is mounted.
    Command: su vulnix – to change the user to vulnix. I got vulnix user shell. ls -la gave me list of directories it have.
    vulnix solution walkthrough55
  8. At this point, I was again stuck, there was nothing. so I need to escalate my privileges! I can do that using vulnix ssh login but I didn’t know how. After some searches, I got down to the fact that I need to put my public key in the authorized list of ssh user in order to enter the den!
    1. So here’s what I did:
      1. In my own laptop, I wrote command: ssh-keygen. It will ask you about directory information and passphrase. Fill it and you have an ssh key for your system. Now once you get it done. You need to copy the key in id_rsa.pub file into the .ssh/authorized_keys file in vulnix virtual machine. Now since I have access of read and write using NFS in vulnix home. I can add my key in the .ssh and can obtain the login!
      2. I copied the data in id_rsa.pub using right click -> copy and echoed it in the .ssh/authorized_keys in vulnix nfs. vulnix solution walkthrough 24

  9. Now, I logged in vulnix via ssh and boom! I got in!vulnix solution walkthrough 28
  10. I checked how much permission I have using sudo -l
    vulnix solution walkthrough 02
    You will see that we got root permission to change the /etc/exports file using sudoeedit.
  11. A Quick search on what is /etc/exports and what it does in NFS and how we can escalate privilege with exports file, will give us ample of idea of what to do. Let’s talk about /etc/exports!
    exports file is an access control list for the filesystem that are mounted using NFS. Exports file contains the permissions, the directory that a user can access.
    In the below screenshot, you will see that /home/vulnix is the directory,we have access to and in front of it, we have *(rw,root_squash) ~ this says that I have read and write permission but root_squash means not as a root, or I cannot simply just change file system because my root access is squashed!

    vulnix solution walkthrough 03

  12. Command: sudoedit /etc/exports will help us edit the exports file in nano editor!

    vulnix solution walkthrough 00We need to edit it and add one line:
    /home/vulnix *(rw,no_root_squash)
    /root/ *(rw,no_root_squash)

    vulnix solution walkthrough 08Now Use ctrl +O to save and ctrl + X to quit.

  13. ****NOTE: Once the changes has been made, We need to restart the vulnix machine. I know this because when I unmounted and then remounted the vulnix, the changes weren’t appeared, inorder for changes to occur, a reboot is required! *****
    Command for un-mounting the vulnix is : umount /root/Desktop/vulnix

  14. Once the system is restarted, see the shared filesystem again, there you will see /root
    vulnix solution walkthrough 09Mount the /root file system this time not the vulnix!
    Command: mount -t nfs 192.168.0.106:/root /root/Desktop/vulnix

  15. vulnix solution walkthrough 001In above screenshot, I thought vulnix will again help us accessing the mounted directory but since it is root, A root user can only see the mounted directory! You will get a permission denied if you try it with vulnix user in your system!
    Access the mounted directory using root and you will get the trophy.txt as flag for this vulnerable virtual machine!

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.