Vulnhub: HackLAB: Vulnix Boot2Root VM

Introduction

Today I’ll be writing up the method I used to compromise the excellent Vulnix VM hosted by Vulnhub, created by @oshearing

This one was quite difficult and took a good few hours for me to work out what needed to happen to compromise it, but I got to use some fun new tools and learned a lot!

Let’s get to it 🙂

NMap

Loads of stuff going on here!

Analysis of Port Scan

So the remote box is running-

  • SSH
  • An entire SMTP / POP suite of applications
    • Metasploit has lots of tools for enumerating these services, so we’ll play with those in a second
  • Fingerd
  • RPCBind
    • Normally I’d scroll past this as it’s pretty standard but this one mentions NFS by name, which could potentially provide us with access to files on the box
  • rexecd, rlogind, rshd
    • This all looks very interesting, so we’ll be investigating these!

User Enumeration from fingerd

First up we use msfconsole to find out the users on the remote box –

So we’ve uncovered a pretty decent list of users here!

RPCBind and NFS

Normally I’d use “rpcinfo” to get an idea of the RPC services available on the box, but thanks to the sC output from nmap, we already know what’s there. And we’re interested in NFS (Network File System) in particular.

Using this guide we find out how to look at the exported shares on the remote box –

So there’s an exported share at /home/vulnix! Let’s mount it using that guide linked above as our.. guide..

WHAT. So we’ve successfully mounted the remote NFS on our box but we can’t access it. Notice that the user is “nobody” this is because of rootsquashing (to prevent us with uid 0 getting root remotely essentially!)

So we could either try and brute force Vulnix user’s uid and gid so that we can mount it OR we can use an awesome tool called nfspy!

NFSpy takes the leg work out of determining which UID / GID we need and mounts the NFS share for us.

Bingo 😉 SO at this point it doesn’t look like there’s much we can do, right? There’s nothing interesting in those three files. But we have write access, so we can create our own files in the users home directory. How about we copy over our SSH id_rsa keys so that we can SSH in without a password?

Privilege Escalation

OK so we’ve got a limited shell now as the Vulnix user! Let’s see what Vulnix can do as root –

How convenient! Vulnix is allowed to mess with the exports file (which is squashing the NFS mount 😉 ) Let’s modify it to disable squashing and allow us access to the / directory (AKA total compromise)!

All that’s left to do is to restart the nfs service and remount the directory and we’ll have total control over the box.

Which didn’t work because we’re not root! At this point I was a dirty skid and rebooted the VM but I’ll post a caveat at the end with what I should have done based on reading up after the challenge!

Post Reboot Privesc

Box came back up after my shameful reboot aaaand –

*trumpet fanfare etc.*

Conclusion

Great, creative and reasonably difficult box! This had some really unique touches that I’d not come across before and I feel like I learned loads! Thanks Owen!

Appendix A – Correct Method to Privesc!

After reading this awesome write up after pwning the box I realised that I could have simply copied /bin/bash from my attacker box onto the mounted share and set the sticky bit (which would persist as EUID 0 on the remote box..), then SSH over to Vulnix and run “./bash -p” from their home directory to get a root shell! Bah!

Add a Comment

Your email address will not be published. Required fields are marked *