Vulnix: VulnHub Walkthrough

Hello Everyone, In this blog I am going to post walkthrough of Vulnix.

This machine is for beginners

You can download the machine from this link: https://www.vulnhub.com/entry/hacklab-vulnix,48/

Let’s Start,

Target IP- 192.168.75.141

Attacker IP- 192.168.75.175

Let’s start with nmap

nmap -Pn -sV 192.168.75.141

The first service I took a look at was the NFS daemon, by looking at the export list on the host machine:

The home directory of the vulnix user is being exposed, which presents a potentially easy access point. So,I tried to mount it.

sudo mount -t nfs 192.168.75.141:/home/vulnix /mnt -o vers=2

So I just add a new user with the specified ID, (mkdir mnt ) so I created a new user with ID 2008, switched to it, and then had access to the share

Then on doing su vulnix we had access(limited):

Then I made a ssh directory

I then created a keygen for the ssh (ssh-keygen)

Now that I had remote write access as vulnix, I created a new SSH key pair, and copied the public key into .ssh/authorized_keys, which then allowed me to SSH in to the box as vulnix

I copied it in id_rsa using gedit and then logged in ssh

ssh -i id_rsa -l vulnix 192.168.75.141

After successfully logging in , I looked into the sudo privileges for vulnix, I could see that the user is able to edit the NFS exports without the need for a password . Now I did sudo -l

By using sudoedit /etc/exports, it’s possible to add another share into the export list, one which uses the no_squash_root option; which prevents root users being remapped to the nobody user:

/root *(no_root_squash,insecure,rw)

This change doesn’t automatically get applied, but will do so upon a system reboot. After rebooting the VM, the new share into the /root directory can be seen: