Hello Everyone, In this blog I am going to post walkthrough of Vulnix.
This machine is for beginners
You can download the machine from this link: https://www.vulnhub.com/entry/hacklab-vulnix,48/
Let’s Start,

Target IP- 192.168.75.141
Attacker IP- 192.168.75.175
Let’s start with nmap
nmap -Pn -sV 192.168.75.141

The first service I took a look at was the NFS daemon, by looking at the export list on the host machine:

The home directory of the vulnix user is being exposed, which presents a potentially easy access point. So,I tried to mount it.
sudo mount -t nfs 192.168.75.141:/home/vulnix /mnt -o vers=2
So I just add a new user with the specified ID, (mkdir mnt ) so I created a new user with ID 2008, switched to it, and then had access to the share

Then on doing su vulnix we had access(limited):

Then I made a ssh directory

I then created a keygen for the ssh (ssh-keygen)

Now that I had remote write access as vulnix, I created a new SSH key pair, and copied the public key into .ssh/authorized_keys, which then allowed me to SSH in to the box as vulnix

I copied it in id_rsa using gedit and then logged in ssh

ssh -i id_rsa -l vulnix 192.168.75.141

After successfully logging in , I looked into the sudo privileges for vulnix, I could see that the user is able to edit the NFS exports without the need for a password . Now I did sudo -l

By using sudoedit /etc/exports, it’s possible to add another share into the export list, one which uses the no_squash_root option; which prevents root users being remapped to the nobody user:
/root *(no_root_squash,insecure,rw)

This change doesn’t automatically get applied, but will do so upon a system reboot. After rebooting the VM, the new share into the /root directory can be seen:

Following the same steps as before, it is now possible to add an SSH key into /root/.ssh/authorized_keys and gain root access:
Making directory mount

Making directory ssh

Now we can see the trophy .txt file :

Creating keygen for ssh

Copying it in id_rsa using gedit and then logged in ssh

chmod 600 id_rsa:(giving it permission)
ssh -i id_isa root@192.168.75.141

We got the root access!!
Writer: Shubhankar is Cyber Security Intern at Azure Skynet Solutions Pvt Ltd. You can contact him here.