HACKLAB: VULNIX Walkthrough

Here we have a vulnerable Linux host with configuration weaknesses rather than purposely vulnerable software versions (well at the time of…

Here we have a vulnerable Linux host with configuration weaknesses rather than purposely vulnerable software versions (well at the time of release anyway!). The host is based upon Ubuntu Server 12.04 and is fully patched as of early September 2012.

HackLAB: Vulnix
Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to…

Enumeration

Since we have many ports opened, we need to pick the right ones:

  • 22 — no critical vulnerability on SSH.
  • 79 — nothing critical from finger service.
  • 111 — Nothing to dig on this.

📌 O = Dovecot mail server, OU = vulnix, CN = vulnix, emailAddress = root@vulnix

  • 993/995 -> just encryption of IMAPS and POP services.
  • 512–514 -> just logins available

More Enumeration…

  1. 25 — SMTP

🔑 users: root and vulnix

2. 110 — POP

Nothing found here

3. 143 — IMAP

Nothing found here

4. 2049 — NFS

Let’s try mounting it.

No permission to look into the directory. I need to have the user vulnix’s UID.

Reiterating…

Let’s use usernames to enumerate the available users and then try it on SSH for Brute Force.

File: /usr/share/metasploit/unix_users.txt

  1. SMTP

2. Finger

Boil it down:

./finger.sh
#!/bin/bash
readarray -t a <user.txt
# printf ‘%s\n’ “${a[@]}”
for i in “${a[@]}”
do
cmd=”finger $i@192.168.103.149"
echo “$cmd”
echo `${cmd}`
done

📍 Sorry if the script is not looking great cause im not good with bash.

SSH Brute Force:

hydra -l user -P /usr/share/wordlists/rockyou.txt 192.168.103.149 -V -I ssh

we get, user:letmein


Finding POI (Point of Intrusion)

create same user locally, and access the folder.

  1. create a folder .ssh and add a public key into authorized_keys file.
  2. from attacker machine, login to the victim machine
  3. You will login as vulnix

Privilege Escalation

  1. do -> sudo -l
  2. You will have access to edit /etc/exports
  3. Remove root squash and make a file with suid set
  4. run the file to get root access