OSCP Prep — Vulnix CTF Write-Up
In preparation for the OSCP, I decided that I would tackle some of the boxes on Abatchy’s list. One of these boxes was Vulnix.
The box doesn’t explicitly say what type of user it was built for, easy or hard, but going through the machine I found it to be somewhat beginner and somewhat intermediate.
Gaining an initial shell wasn’t very difficult, but it did take some patience and a decent amount of enumeration one some pretty unfamiliar services for beginners. Let’s get started.
My Nmap scan gave me a few open ports to start poking around at.
user@kali:~$ nmap -sV -Pn -A -p- 192.168.1.107
Starting Nmap 7.80 ( https://nmap.org ) at 2020–09–30 12:29 EDT
Nmap scan report for 192.168.1.107
Host is up (0.0061s latency).
Not shown: 65518 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA)
| 2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA)
|_ 256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
|_ssl-date: 2020–09–30T16:31:00+00:00; 0s from scanner time.
79/tcp open finger Linux fingerd
|_finger: No one logged on.\x0D
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: RESP-CODES STLS SASL TOP UIDL CAPA PIPELINING
|_ssl-date: 2020–09–30T16:31:00+00:00; 0s from scanner time.
111/tcp open rpcbind 2–4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 40896/tcp6 mountd
| 100005 1,2,3 53280/udp6 mountd
| 100005 1,2,3 53677/udp mountd
| 100005 1,2,3 59075/tcp mountd
| 100021 1,3,4 36730/tcp nlockmgr
| 100021 1,3,4 45174/tcp6 nlockmgr
| 100021 1,3,4 54563/udp6 nlockmgr
| 100021 1,3,4 59064/udp nlockmgr
| 100024 1 35396/udp status
| 100024 1 43153/tcp6 status
| 100024 1 46036/udp6 status
| 100024 1 49907/tcp status
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
143/tcp open imap Dovecot imapd
|_imap-capabilities: LITERAL+ more post-login listed OK capabilities SASL-IR have ENABLE Pre-login IMAP4rev1 ID IDLE STARTTLS LOGINDISABLEDA0001 LOGIN-REFERRALS
|_ssl-date: 2020–09–30T16:31:00+00:00; 0s from scanner time.
512/tcp open exec?
513/tcp open login
514/tcp open tcpwrapped
993/tcp open ssl/imaps?
|_ssl-date: 2020–09–30T16:30:59+00:00; -1s from scanner time.
995/tcp open ssl/pop3s?
|_ssl-date: 2020–09–30T16:31:00+00:00; 0s from scanner time.
2049/tcp open nfs_acl 2–3 (RPC #100227)
34931/tcp open mountd 1–3 (RPC #100005)
36730/tcp open nlockmgr 1–4 (RPC #100021)
45810/tcp open mountd 1–3 (RPC #100005)
49907/tcp open status 1 (RPC #100024)
59075/tcp open mountd 1–3 (RPC #100005)
Service Info: Host: vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 239.94 seconds
The first port that really caught my eye was the NFS service on port 2049. I decided to check the target’s NFS exports so I used the showmount command.
user@kali:~/Desktop$ showmount -e 192.168.1.107
Export list for 192.168.1.107:
/home/vulnix *
user@kali:~/Desktop$
The target was exporting user Vulnix’s home folder. I made an NFS directory in my /tmp folder and ran mount -t to try to mount the nfs folder, but I wasn’t allowed to view it.
At this point, I was convinced that the way in was the vulnix user and the SSH service. The fingerd service was running on port 79 so I used it to enumerate the Vulnix user.
I tried to brute force the SSH login for Vulnix with Hydra, but I couldn’t get it work. I moved on because I either had the wrong user name or the wrong password. I was kind of stumped here for a while.
I tried to connect to the RPC service but anonymous login wasn’t allowed. At this point, I decided to try to enumerate other SSH users. Metasploit has an SSH user scanner and there is a common Unix user wordlist.
Going through the results, there were a few users that the scanner found. The most notable was the user “user”. I exported the list and ran a few of them against the rockyou wordlist.
Eventually, I got a hit. With a useable username and password, I SSH’d into the target.
I transferred Linpeas.sh over to the target to enumerate for privilege escalation. When I ran the script, it gave a hit on the kernel as the point of entry to a root shell.
A quick Google search showed that this target was vulnerable to the Dirty Cow exploit. I already had a compiled version of the exploit from a previous CTF so I transferred it over.
I ran the exploit and entered my new password. I then SSH’d into the target as firefart.
Lastly, I grabbed the trophy.txt file for proof.
This was a great CTF that wasn’t too difficult, but required a lot of enumeration and a lot of trial and error on password brute forcing. All in all it was a fun box and I’m glad that I completed it as part of my OSCP prep. For more CTF Write-Ups follow me here or on Twitter @assume_breach
