This article is a walkthrough on vulnix CTF challenge. You can get this on Vulnhub website: here is the link. Vulnix is a specially made vulnerable virtual machine of SSH and NFS [Network file system]. Vulnix will guide you on how false configuration of NFS can be used to escalate privileges on the system.
Let’s get to it!
- Scanning the Target
- nmap 192.168.0.1/24 — to get the ip address of vulnix machine. — My vulnix ip address is 192.168.0.107 and then
- nmap -sV 192.168.0.107
- Found a lot of ports open on this Vulnerable Virtual Machine. SSH and SMTP versions are not vulnerable.But can be used to bruteforce. Got Fingerd protocol running on 79. So I fired up msfconsole to scan for the list of users. I have used default unix_users.txt list in Kali.
Using auxiliary /scanner/finger/finger_users.
- After Getting the list of users using finger, I made a file containing all these users and ran hydra to bruteforce the ssh login if I could find any, because I had no clue of what to do next.
I have used fasttrack.txt in kali as password file and vulnixuser.txt is the users file that I have created containing all the users, I have found. I have used fasttrack.txt file because it will be faster, the file isn’t that large.
Found 1 match for user user with password letmein.
- So I have logged in user via SSH. There is nothing much that you will get but I saw vulnix user in /etc/passwd.
I have bruteforced this user too. But found nothing!
- Got no where to go after this, so I went back to the nmap scan. This time I scanned it using -A flag, to get as much info I can. and I found rpc protocol. rpcinfo suggests that there is a file system which can be available. So I showmount the vulnix ip address.***My vulnix IP is 192.168.0.106 here. It got changed. but it is still the vulnix system.
Let’s mount this filesystem on our system.
I created a directory on my system using mkdir. command: mkdir /root/Desktop/vulnix
After creating directory, when I mounted the /home/vulnix using command:
mount -t nfs 192.168.0.106:/home/vulnix /root/Desktop/vulnix
It gave me an error of permission denied.
- I need permission that vulnix user have to access the home directory of vulnix machine. To make this happen, I can create a user in my own system with the permission same as the vulnix user in vulnix VM.
- Once creating user vulnix in my own system, I can go to the /root/Desktop/vulnix directory that is mounted.
Command: su vulnix – to change the user to vulnix. I got vulnix user shell. ls -la gave me list of directories it have.
- At this point, I was again stuck, there was nothing. so I need to escalate my privileges! I can do that using vulnix ssh login but I didn’t know how. After some searches, I got down to the fact that I need to put my public key in the authorized list of ssh user in order to enter the den!
- So here’s what I did:
- In my own laptop, I wrote command: ssh-keygen. It will ask you about directory information and passphrase. Fill it and you have an ssh key for your system. Now once you get it done. You need to copy the key in id_rsa.pub file into the .ssh/authorized_keys file in vulnix virtual machine. Now since I have access of read and write using NFS in vulnix home. I can add my key in the .ssh and can obtain the login!
- I copied the data in id_rsa.pub using right click -> copy and echoed it in the .ssh/authorized_keys in vulnix nfs.
- So here’s what I did:
- Now, I logged in vulnix via ssh and boom! I got in!
- I checked how much permission I have using sudo -l
You will see that we got root permission to change the /etc/exports file using sudoeedit.
- A Quick search on what is /etc/exports and what it does in NFS and how we can escalate privilege with exports file, will give us ample of idea of what to do. Let’s talk about /etc/exports!
exports file is an access control list for the filesystem that are mounted using NFS. Exports file contains the permissions, the directory that a user can access.
In the below screenshot, you will see that /home/vulnix is the directory,we have access to and in front of it, we have *(rw,root_squash) ~ this says that I have read and write permission but root_squash means not as a root, or I cannot simply just change file system because my root access is squashed!
- Command: sudoedit /etc/exports will help us edit the exports file in nano editor!
We need to edit it and add one line:/home/vulnix *(rw,no_root_squash)
/root/ *(rw,no_root_squash) Now Use ctrl +O to save and ctrl + X to quit.
- ****NOTE: Once the changes has been made, We need to restart the vulnix machine. I know this because when I unmounted and then remounted the vulnix, the changes weren’t appeared, inorder for changes to occur, a reboot is required! *****
Command for un-mounting the vulnix is : umount /root/Desktop/vulnix
- Once the system is restarted, see the shared filesystem again, there you will see /root
Mount the /root file system this time not the vulnix!
Command: mount -t nfs 192.168.0.106:/root /root/Desktop/vulnix
- In above screenshot, I thought vulnix will again help us accessing the mounted directory but since it is root, A root user can only see the mounted directory! You will get a permission denied if you try it with vulnix user in your system!
Access the mounted directory using root and you will get the trophy.txt as flag for this vulnerable virtual machine!