Sunday, September 2, 2018



- Layout for this exercise:


- The goal of this exercise is to develop a hacking process for the vulnerable machine Vulnix.

- According to Vulnix's author there is a trophy hidden into the /root folder.

- Vulnix can be downloaded from here:,48/

- Once downloaded and extracted with VMware:


- Using netdiscover to find the vulnerable machine's IP:

- Scanning with Nmap we find that there are a lot of open services available:

2.1 - Enumerating rpcbind

rpcbind maps RPC services to the ports on which they listen, redirecting a client to the proper port number so it can communicate with the requested service.

rpcinfo with option -p tells that there is an NFS (Network File System) server running on Vulnix at port 2049:

2.2 - Enumerating NFS

- The NFS protocol is developed for sharing files an folders between systems, so a local file system is mounted over a network and remote hosts can interact as if they are mounted locally on the same system. 

showmount shows mount information for the NFS server, with option -e for the export list: 

- So the NFS service is available to share files located at /home/vulnix, what can be accessed from any host.

- Bye the way, we also learn the existence of a user called vulnix.

2.3 - Enumerating SMTP

- Trying to find some info using Metasploit against the SMTP server:

- Same thing with telnet:

2.4 - Enumerating finger

- At port 79 the service finger gives information about the users, for instance:



- Let's notice that all users have got /bin/bash as default shell.


3.1 - Low privilege shell with SSH

- Let's launch Hydra against the SSH service with a lists of users and the wordlist rockyou.txt for passwords:


- Now, we can successfully log into Vulnix using the credentials user:letmein

- However this is a low privilege shell and we cannot access the vulnix home shared folder:


- Neither user is a sudoer:

3.2 - User vulnix

- Let's find more info about the user vulnix, for instance his UID is 2008:

- Now, let's mount at our local machine /mnt/vulnix the remote /home/vulnix:


- Also, at Kali let's create a new user called vulnix with the same UID 2008 than the remote one:

- Moreover, let's generate a public/private RSA key pair, with the future goal of trying to log in with SSH into the Vulnix vulnerable machine as the user vulnix:


- Let's notice that  the public key has been saved to /root/.ssh/

- Copying the newly created public key to the remote /tmp folder:

- Assigning ownership of the key to user vulnix:


- Creating a new folder .ssh at the remote machine:

- Exporting content of the key to the authorized_keys file, which specifies the SSH keys that can be used for logging into the user account for which the file is configured, vulnix in our case:

- Now, we can log into Vulnix as user vulnix without a password, because we have inserted as authorized his public key:



4.1 - no_root_squash

- Let's start our Privilege Escalation process by checking what are vulnix user's sudoer permissions:

- It seems that vulnix can run the command sudoedit  /etc/exports as a root without using any password.

- Checking /etc/exports we notice that /home/vulnix is assigned with root_squash, meaning that the client cannot run commands as root at the remote server when using the NFS services:

- However, because user vulnix has got /etc/exports "sudoediting" privileges this can easily be changed to no_root_squash:


- Now, to make theses changes effective a reboot of Vulnix is needed so that NFS services restart, let's do it manually:


4.2 - Creating a root_shell

- Mounting again the shared folder:


- SSH-ing again at vulnix:

- At the remote machine, copying his local bash to a new file victim_shell:

- We immediately have it shared at the local machine:


- As expected, victim_shell has got only vulnix user's permissions:


- Copying content to a new file root_shell:

- Setting root privileges for root_shell:

- Comparing permissions for both shells:


- Executing root_shell with option -p (ensures that the original file's permissions and credentials are kept) we eventually get a root shell available at the vulnerable machine Vulnix:



- Going to the root folder we find the trophy: