Jump to content
Anastasis

Vulnhub Machines Walkthrough Series – Vulnix

Recommended Posts

Anastasis

Today we’ll be continuing with our series on Vulnhub virtual machine exercises. In this article, we will see a walkthrough of an interesting Vulnhub machine called Vulnix.

Note: For all of these machines, I have used the VMware workstation to provision the virtual machines (VMs). Kali Linux VM will be my attacking box. And please remember: the techniques used here are solely for educational purposes. I am not responsible if these techniques are used against any other targets.

VM Details

Download

Description from Vulnhub: Here we have a vulnerable Linux host with configuration weaknesses rather than purposely vulnerable software versions (well at the time of release anyway!)

The host is based upon Ubuntu Server 12.04 and is fully patched as of early September 2012. The details are as follows:

  • Architecture: x86
  • Format: VMware (vmx & vmdk) compatibility with version 4 onwards
  • RAM: 512MB
  • Network: NAT
  • Extracted size: 820MB
  • MD5 Hash of Vulnix.7z: 0bf19d11836f72d22f30bf52cd585757

The goal; boot up, find the IP, hack away and obtain the trophy hidden away in /root by any means you wish – excluding the actual hacking of the vmdk

Walkthrough

1. Download the Vulnix VM from above link and provision it as a VM.

2. Following established routine from this series, let’s try to find the IP of this machine using Netdiscover. Below, we can see that the IP address is 192.168.213.140.

080818_1808_VulnhubMach1.jpg

3. Now since we know the IP address, let’s start enumerating the machine with Nmap. Below is the initial output from the Nmap scan. We can see that lot of ports are opened on this machine such as 22, 25, 79, 110, 143, 512, 513 and so on.

080818_1808_VulnhubMach2.jpg

080818_1808_VulnhubMach3.jpg

4. Since port 25 is opened, let’s try to make connection to it using Netcat. Below is an output for the same. We have also confirmed that Vulnix is a user present on the machine:

080818_1808_VulnhubMach4.jpg

5. Can we enumerate all the users based on this service? Yes, we can, and Nmap comes to our rescue again. It has a script (smtp-user-enum) to which we will pass a well-curated username list shipped with Metasploit. Below we can see all the usernames that exist on this VM.

080818_1808_VulnhubMach5.jpg

6. Now since we have so many users, what can we do to verify which user has logged into the machine? Go back to enumeration. We have port 79 opened, which is for Linux finger service. There is a well-laid-out script to take a list of usernames as arguments, which suits our case. Below is a snippet from the script, as we need to specify the target server inside.

080818_1808_VulnhubMach6.jpg

7. After running the above script we found out that user with name ‘user’ has logged on recently, so that might be worth trying for.

8. So let’s recap: what do we have so far? A couple of usernames. Heh. Let’s go back to enumeration result and see what other services we have. Port 2049 is opened as per Nmap; let’s see what is running there.

We have an NFS share! We are back in the game if we have some shares that we can connect to.

080818_1808_VulnhubMach7.jpg

9. Using showmount with the –exports option we can see that we have a share. Let’s try to mount it. For that I have created a directory named remote and used the mount command to mount the remote share, but all we got was permission denied. (This is mostly due to the root squash flag bit set). But what if we try to access the same share with same user ID remotely?

080818_1808_VulnhubMach8.jpg

10. So what can we do now? Running out of ideas, I tried brute-forcing the username we found earlier with hydra and rockyou — and we got a hit!

080818_1808_VulnhubMach9.jpg

11. With that information we are able to successfully log into the box and can see another user there named Vulnix, which is a user we discovered very early. (And it was expected from the information collected above.)

080818_1808_VulnhubMach10.jpg

12. Building on the above idea , let’s grab the UID of Vulnix and create a new user on our Kali box with the same UID.

080818_1808_VulnhubMach11.jpg

13. Below is the user created on Kali box with the same UID.

080818_1808_VulnhubMach12.jpg

14. Changing user to vulnnix on local box and trying to access the previously mounted remote share results in a success this time.

080818_1808_VulnhubMach13.jpg

15. So now, let’s create keys for this user on the Kali box, create a .ssh directory on the remote share and upload keys there.

080818_1808_VulnhubMach14.jpg

16. Below we have created the directory and copied the contents of public keys to the authorized keys on the newly-created .ssh directory.

080818_1808_VulnhubMach15.jpg

17. After logging onto the system, one of the first commands I always run is to check what the user can run as sudo. Below we can see that the user is allowed to edit /etc/exports.

080818_1808_VulnhubMach16.jpg

18. Below are the changes done to /etc/exports. Notice first we have changed the root squash flag to no root squash, which will give us the ability to mount this share as root remotely. But that will not serve our purpose so let’s try to offer /root with no_root_squash.

080818_1808_VulnhubMach17.jpg

080818_1808_VulnhubMach18.jpg

19. But we have a major roadblock here. How to get these settings into effect? I looked into other avenues for this machine but could not find anything and had to resort to restarting this machine. (BAD, VERY BAD solution.)

20. Once we came back up, we can see that the new share is available.

080818_1808_VulnhubMach19.jpg

21. We created a new directory r00t, mounted the /root share and can view the flag (trophy.txt).

080818_1808_VulnhubMach20.jpg

Victory!

This a fun VM with some serious limitations and dependencies. First is the identification of username ‘user,’ and then restarting of the VM. Probably not for beginners. But there are some effective things to learn here about root/no_root squash and how to exploit a remote share.

Share this post


Link to post
Share on other sites

Δημιουργήστε ένα λογαριασμό ή συνδεθείτε προκειμένου να το δείτε

Πρέπει να είστε μέλος για να μπορέσετε να αφήσετε κάποιο σχόλιο

Δημιουργία λογαριασμού

Κάντε μια δωρεάν εγγραφή στην κοινότητά μας. Η εγγραφές μας είναι εύκολες.!

Εγγραφή τώρα

Σύνδεση

Εάν έχετε ήδη λογαριασμό σε αυτό το Forum; Συνδεθείτε εδώ.

Συνδεθείτε τώρα

  • Μηνύματα

    • de4d_R1n63r
      Πως μπορώ να δημιουργήσω ένα evilAP (Access Point) όπου όταν ένας χρήστης συνδέεται θα πρέπει πρώτα να περάσει από ένα fake captive Portal που εχω φτοιάξει εγώ και το τρέχω στο localhost?  Παράδειγμα: όπως οι καφετέριες έχουν το Free access Captive Portal! Όπου Πρέπει να κάνεις Κλικ κάπου πρώτα και μετά μπορείς να συνεχισεις να σερφάρεις «ανενοχλητος». Κατάφερα Να στήσω ενα Access Point με το mitmAP.py αλλά κολλάω στη Δημιουργία Του Captive Portal...  Λογισμικό : kali Linux 2.0 Virtual machine Οποιαδήποτε βοήθεια είναι καλοδεχούμενη!  Σας ευχαριστώ Πολύ! 
    • dichvusocks
      Payment Instantly perfectmoney, bitcoin, wmtransfer, wex, ETH (Please click Buy Socks)
      Update Tools Client Dichvusocks.us http://dichvusocks.us/tools.php Link check socks http://check.dichvusocks.us/
      LIVE | 37.59.8.29:19571 | 1.52 | Unknow | Unknow | ns3099982.ovh.net | France | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 103.21.163.81:6667 | 1.69 | Gujarat | 396445 | N/A | India | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 188.120.228.252:42796 | 1.72 | Unknow | Unknow | stylemax.ru | Russian Federation | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 150.129.52.74:6667 | 1.22 | Gujarat | 394601 | N/A | India | Blacklist: No | Checked at http://dichvusocks.us
      LIVE | 79.137.72.22:56975 | 0.5 | Unknow | Unknow | 22.ip-79-137-72.eu | France | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 118.139.176.242:40440 | 0.73 | Unknow | Unknow | ip-118-139-176-242.ip.secureserver.net | Singapore | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 95.110.227.5:50459 | 0.61 | Toscana | 52100 | host5-227-110-95.serverdedicati.aruba.it | Italy | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 103.250.148.82:6667 | 1.05 | Gujarat | 382845 | N/A | India | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 192.169.140.100:28724 | 1.56 | Arizona | 85260 | ip-192-169-140-100.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 132.148.130.208:24484 | 1.36 | California | 92603 | ip-132-148-130-208.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 192.169.202.104:36198 | 1.75 | Arizona | 85260 | ip-192-169-202-104.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 192.169.196.126:6365 | 1.76 | Arizona | 85260 | ip-192-169-196-126.ip.secureserver.net | United States | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 118.139.176.242:61359 | 0.74 | Unknow | Unknow | ip-118-139-176-242.ip.secureserver.net | Singapore | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 37.208.69.147:9050 | 0.86 | Unknow | Unknow | stitu.shapefeeds.com | Anonymous Proxy | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 103.250.166.4:6667 | 1.08 | Gujarat | 370201 | N/A | India | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 125.227.69.220:3261 | 0.91 | Unknow | Unknow | 114-26-161-57.dynamic-ip.hinet.net | Taiwan | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 43.224.8.121:6667 | 1.29 | Gujarat | 363001 | N/A | India | Blacklist: Yes | Checked at http://dichvusocks.us
      LIVE | 150.129.52.75:6667 | 1.44 | Gujarat | 394601 | N/A | India | Blacklist: Yes | Checked at http://dichvusocks.us
       
    • vn5socks.net
      LIVE ~ 204.42.255.250:13264 | 0.245 | Englewood | CO | 80112 | United States | Checked at vn5socks.net
      LIVE ~ 37.59.56.88:17371 | 0.235 | Unknown | Unknown | Unknown | France | Checked at vn5socks.net
      LIVE ~ 66.110.216.221:39603 | 0.303 | Atlanta | GA | 30328 | United States | Checked at vn5socks.net
      LIVE ~ 184.185.2.146:47659 | 0.292 | Unknown | Unknown | Unknown | United States | Checked at vn5socks.net
      LIVE ~ 165.227.214.55:2018 | 0.232 | Santa Cruz | CA | 95060 | United States | Checked at vn5socks.net
      LIVE ~ 52.196.27.196:34000 | 0.107 | Wilmington | DE | 19893 | United States | Checked at vn5socks.net
      LIVE ~ 45.55.169.78:19556 | 0.269 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 72.11.148.222:56533 | 0.197 | Los Angeles | CA | 90014 | United States | Checked at vn5socks.net
      LIVE ~ 216.21.200.120:10200 | 0.239 | Walpole | ME | 04573 | United States | Checked at vn5socks.net
      LIVE ~ 66.110.216.105:39431 | 0.302 | Atlanta | GA | 30328 | United States | Checked at vn5socks.net
      LIVE ~ 192.169.250.198:40710 | 0.193 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 192.169.180.124:6085 | 0.221 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 69.198.62.206:39593 | 0.364 | Richardson | TX | Unknown | United States | Checked at vn5socks.net
      LIVE ~ 50.63.153.173:46311 | 0.196 | Scottsdale | AZ | 85260 | United States | Checked at vn5socks.net
      LIVE ~ 192.169.188.100:53562 | 0.194 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 173.249.7.249:34925 | 0.258 | Pacifica | CA | 94044 | United States | Checked at vn5socks.net
      LIVE ~ 192.210.202.156:2018 | 0.237 | Unknown | Unknown | Unknown | Unknown | Checked at vn5socks.net
      LIVE ~ 50.63.153.173:25515 | 0.2 | Scottsdale | AZ | 85260 | United States | Checked at vn5socks.net
    • tisocks
      SOCKS Proxy List by Tisocks.net
      If you Need Socks5 , Please visit service and add fund via PM , BTC WMZ , WEX . Thanks all!!
      Add fund : https://tisocks.net/addfund
      Check socks5 Online here : https://checksocks5.com
      LIVE | 64.118.87.14:40028 | 0.052 | SOCKS5 | New Jersey | 07310 | drive500.123servers.com | United States | Checked at https://tisocks.net
      LIVE | 64.118.87.11:40028 | 0.052 | SOCKS5 | New Jersey | 07310 | drive500.123servers.com | United States | Checked at https://tisocks.net
      LIVE | 64.118.88.53:40028 | 0.052 | SOCKS5 | New Jersey | 07310 | drive500.123servers.com | United States | Checked at https://tisocks.net
      LIVE | 79.137.72.22:56975 | 0.335 | SOCKS5 | Unknow | Unknow | 22.ip-79-137-72.eu | France | Checked at https://tisocks.net
      LIVE | 192.169.142.205:4265 | 0.281 | SOCKS5 | Arizona | 85260 | ip-192-169-136-149.ip.secureserver.net | United States | Checked at https://tisocks.net
      LIVE | 64.130.131.172:34048 | 0.224 | SOCKS5 | Kentucky | 42141 | 64-130-131-172.pool.dsl.scrtc.com | United States | Checked at https://tisocks.net
      LIVE | 69.89.101.16:62720 | 0.169 | SOCKS5 | Michigan | 48915 | 69-89-101-16.dhcp.acd.net | United States | Checked at https://tisocks.net
      LIVE | 164.132.20.94:12968 | 0.252 | SOCKS5 | Georgia | 30736 | 64-18-108-170.hsi.catt.com | United States | Checked at https://tisocks.net
      LIVE | 96.31.247.253:38882 | 0.447 | SOCKS5 | California | 90009 | 96-31-247-253-static-ip.telepacific.net | United States | Checked at https://tisocks.net
      LIVE | 149.56.65.157:46684 | 0.324 | SOCKS5 | Al Qahirah | Unknow | host-41.234.217.155.tedata.net | Egypt | Checked at https://tisocks.net
      LIVE | 192.169.140.74:58022 | 0.279 | SOCKS5 | Arizona | 85260 | ip-192-169-140-74.ip.secureserver.net | United States | Checked at https://tisocks.net
      LIVE | 163.172.202.116:42908 | 0.265 | SOCKS5 | Michigan | 48066 | c-68-36-229-146.hsd1.mi.comcast.net | United States | Checked at https://tisocks.net
      LIVE | 149.56.65.157:58128 | 0.404 | SOCKS5 | Region Metropolitana | Unknow | N/A | Chile | Checked at https://tisocks.net
      LIVE | 185.244.128.102:28102 | 0.555 | SOCKS5 | Unknow | Unknow | N/A | Romania | Checked at https://tisocks.net
      LIVE | 64.118.88.39:40028 | 0.059 | SOCKS5 | New Jersey | 07310 | drive500.123servers.com | United States | Checked at https://tisocks.net
    • shopsocks5.com
      [Shopsocks5.com] Service Socks5 Cheap
      Payment Instantly Perfectmoney, Bitcoin, Wmtransfer, BTC-E ( Please click Buy Socks )
      Check Socks Online  http://shopsocks5.com/check/




        Live | 184.185.2.146:47659 | United States | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 72.210.252.134:46164 | United States | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 14.102.109.133:10198 | India | New Delhi | 07 | Unknown | Checked at Shopsocks5.com Live | 138.68.59.157:1210 | United States | Wilmington | DE | 19880 | Checked at Shopsocks5.com Live | 31.148.219.150:1443 | Netherlands | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 173.245.239.223:16938 | United States | Atlanta | GA | 30328 | Checked at Shopsocks5.com Live | 208.97.31.229:53124 | United States | Atlanta | GA | 30328 | Checked at Shopsocks5.com Live | 72.49.49.11:31034 | United States | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 205.240.205.108:25798 | Honduras | San Pedro Sula | 06 | Unknown | Checked at Shopsocks5.com Live | 69.61.200.104:36181 | United States | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 216.144.230.233:15993 | United States | Santa Ana | CA | 92705 | Checked at Shopsocks5.com Live | 204.42.255.250:13264 | United States | Englewood | CO | 80111 | Checked at Shopsocks5.com Live | 98.172.253.157:40753 | United States | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 37.59.56.88:3605 | France | Unknown | Unknown | Unknown | Checked at Shopsocks5.com Live | 72.11.148.222:56533 | United States | Los Angeles | CA | 90014 | Checked at Shopsocks5.com Live | 52.196.27.196:34000 | Japan | Tokyo | 40 | 100-0001 | Checked at Shopsocks5.com
×