HACKLAB: VULNIX Walkthrough
Here we have a vulnerable Linux host with configuration weaknesses rather than purposely vulnerable software versions (well at the time of…
Here we have a vulnerable Linux host with configuration weaknesses rather than purposely vulnerable software versions (well at the time of release anyway!). The host is based upon Ubuntu Server 12.04 and is fully patched as of early September 2012.
Enumeration
Since we have many ports opened, we need to pick the right ones:
- 22 — no critical vulnerability on SSH.
- 79 — nothing critical from finger service.
- 111 — Nothing to dig on this.
📌 O = Dovecot mail server, OU = vulnix, CN = vulnix, emailAddress = root@vulnix
- 993/995 -> just encryption of IMAPS and POP services.
- 512–514 -> just logins available
More Enumeration…
- 25 — SMTP
🔑 users: root and vulnix
2. 110 — POP
Nothing found here
3. 143 — IMAP
Nothing found here
4. 2049 — NFS
Let’s try mounting it.
No permission to look into the directory. I need to have the user vulnix’s UID.
Reiterating…
Let’s use usernames to enumerate the available users and then try it on SSH for Brute Force.
File: /usr/share/metasploit/unix_users.txt
- SMTP
2. Finger
Boil it down:
./finger.sh
#!/bin/bash
readarray -t a <user.txt
# printf ‘%s\n’ “${a[@]}”
for i in “${a[@]}”
do
cmd=”finger $i@192.168.103.149"
echo “$cmd”
echo `${cmd}`
done
📍 Sorry if the script is not looking great cause im not good with bash.
SSH Brute Force:
hydra -l user -P /usr/share/wordlists/rockyou.txt 192.168.103.149 -V -I ssh
we get, user:letmein
Finding POI (Point of Intrusion)
create same user locally, and access the folder.
- create a folder .ssh and add a public key into authorized_keys file.
- from attacker machine, login to the victim machine
- You will login as vulnix
Privilege Escalation
- do -> sudo -l
- You will have access to edit /etc/exports
- Remove root squash and make a file with suid set
- run the file to get root access