Vulnix: VulnHub Walkthrough

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp

Hello Everyone, In this blog I am going to post walkthrough of Vulnix.

This machine is for beginners

You can download the machine from this link: https://www.vulnhub.com/entry/hacklab-vulnix,48/

Let’s Start,

Target IP- 192.168.75.141

Attacker IP- 192.168.75.175

Let’s start with nmap

nmap -Pn -sV 192.168.75.141

The first service I took a look at was the NFS daemon, by looking at the export list on the host machine:

The home directory of the vulnix user is being exposed, which presents a potentially easy access point. So,I tried to mount it.

sudo mount -t nfs 192.168.75.141:/home/vulnix /mnt -o vers=2

So I just add a new user with the specified ID, (mkdir mnt ) so I created a new user with ID 2008, switched to it, and then had access to the share

Then on doing su vulnix we had access(limited):

Then I made a ssh directory

I then created a keygen for the ssh (ssh-keygen)

Now that I had remote write access as vulnix, I created a new SSH key pair, and copied the public key into .ssh/authorized_keys, which then allowed me to SSH in to the box as vulnix

I copied it in id_rsa using gedit and then logged in ssh

ssh -i id_rsa -l vulnix 192.168.75.141

After successfully logging in , I looked into the sudo privileges for vulnix, I could see that the user is able to edit the NFS exports without the need for a password . Now I did sudo -l

By using sudoedit /etc/exports, it’s possible to add another share into the export list, one which uses the no_squash_root option; which prevents root users being remapped to the nobody user:

/root *(no_root_squash,insecure,rw)

This change doesn’t automatically get applied, but will do so upon a system reboot. After rebooting the VM, the new share into the /root directory can be seen:

Following the same steps as before, it is now possible to add an SSH key into /root/.ssh/authorized_keys and gain root access:

Making directory mount

Making directory ssh

Now we can see the trophy .txt file :

Creating keygen for ssh

Copying it in id_rsa using gedit and then logged in ssh

chmod 600 id_rsa:(giving it permission)

ssh -i id_isa root@192.168.75.141

We got the root access!!

Writer: Shubhankar is Cyber Security Intern at Azure Skynet Solutions Pvt Ltd. You can contact him here.

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top