**
VulnHub-HackLAB:Vulnix-Walkthrough
**
Drone address: https: //www.vulnhub.com/entry/hacklab-vulnix,48/
drone Difficulty: primary (CTF)
drone Release Date: September 10, 2012
drone Description: Here we have a Taiwan vulnerable Linux host, which has a configuration flaw, rather than have a vulnerable version of the software purpose (in any case, at the time of release on the case!)
goal: to obtain root privileges & find flag.txt
author: big Yu
time: 2020-01-18
Note: For all these computers, I've downloaded using a computer running VMware. I will use Kali Linux as a solution to the attacker's machine the CTF. Here the use of technology for learning for educational purposes only, if the technology is listed for any other goal, I will not be responsible.
First, information collection
We need to identify targets in the VM's IP address, use nmap to obtain the destination IP address:
We've found the CTF target computer IP address: 192.168.56.131
opened a lot of ports, there should be a variety of ways to get permission ...
yesterday there have been studies on the 25-port, 25-port direct start today ...
here you can see not disabled ... VRFY to verify the existence Vulnix user is there ... need to verify whether there are more users
smtp-user-enum find sexy in the script using functional /usr/share/metasploit-framework/data/wordlists/unix_users.txt metasploit framework provided ...
found that many users ... there are two users is more important ...
command: finger [email protected]
see two users ... are valid
user name and the user has a login name with Dovecot's devenull of ...
here only confirmed the existence of a user's password also need to continue to get ... ...
Next, I will enumerate the NFS server on port 2049 ... (Nmap scan out)
need to nfs-common (kali comes)
NFS Enumeration
看到可以为用户vulnix安装文件夹进行共享…将远程共享文件装在本地kali上…
可以看出其实共享已经实现,估计设置了root_squash标志,只是不允许我们去访问…只允许vulnix用户去访问…
目前只允许vulnix用户登陆,并且得具有与目标上相同的id和gid…
(可以看出前面有root和user两个root权限的用户,可以创建用户去修改代码去针对用户提权,这边我没涉及很深,后期我慢慢脑补…)
我直接用九头蛇爆破了user用户密码…
命令:hydra -l user -P rockyou.txt 192.168.182.131 ssh -t 4
账号:user
密码:letmein
没安装GCC,所以本地漏洞利用无法利用C语言编写…
无法访问共享的目录,看到id和gid后,可以创建了临时的用户和他们具有相同的i和gid值去访问共享目录…
创建好临时用户mnt后,这边用ssh生成密匙直接登录…开始
这边用ssh生成密匙后,回到临时用户mnt下将密匙导入进去…(生成一直默认回车即可)
然后直接登录即可,会自动匹配ssh密匙…
二、提权
我已经在目标的系统上了,我可以继续枚举来尝试提升特权…
可以看到sudo提权,可以以root用户身份执行sudoedit /etc/exports,编辑/etc/exports该文件…
通过用no_root_squash替换root_squash来实现…
修改完后,我们需要把挂载点挂掉…
然后这边比较坑…因为我搭建是用VM搭建的,没有root用户权限无法对它进行shutdown -r命令…这边得重启下VM下的vulnix靶机…
因前面挂开了nfs目录,这边重新挂载下创建的mnt共享…(有点卡)
本地计算机的/bin/bash复制到/tmp/nfs,利用目录下的bash来提权…赋予4777权限…
进入vulnix用户去执行./bash -p报错了,无法打开…重新在此目录下在复制一次
成功提权!!!
这是有逻辑性向渗透的一台靶机,非常有趣…一定要动手操作几遍,熟能生巧,加油!!
由于我们已经成功得到root权限&找到flag.txt,因此完成了简单靶机,希望你们喜欢这台机器,请继续关注大余后期会有更多具有挑战性的机器,一起练习学习。
如果你有其他的方法,欢迎留言。要是有写错了的地方,请你一定要告诉我。要是你觉得这篇博客写的还不错,欢迎分享给身边的人。
