Exploitation Testing – Vulnix

Knock Knock !! Who's ther?? - No one!!

let me come through back door

Here we have a vulnerable Linux host with configuration weaknesses rather than purposely vulnerable software versions

The goal; boot up, find the IP, hack away and obtain the trophy hidden away in /root by any means you wish – excluding the actual hacking of the vmdk

1. Finding victim machine’s (Vulnix VM) IP address.

root@kali:~# netdiscover -r 192.168.43.0/24  

2. A port scan on the victim host.

root@kali:~# nmap -sT -p- -Pn -n -v 192.168.43.33 -T5

3. Finding users of the victim host.

root@kali:~# smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 192.168.43.33

4. Running finger against the usernames we found.

5. Since we have NFS service running on port 2049, we may be able to mount a share and find some data.

The mounted share cannot be accessed, because the root_squash flag is set.

6. Brute forcing SSH to find the password for the account named “user”.

 After that we could gain the access of the account user over SSH.

7. Finding UID of user account called vulnix and create a temporary user on our system.

8. Generate an SSH key to log in to the server as user vulnix without password.

We have to copy the generated ssh-key into the /home/vulnix/.ssh/authorized_keys file.

9. Login to the victim's machine as ‘vulnix’.

10. vulnix can run a command to open /etc/exports without typing a password.

Then we have to replace the root_squash flag with no_root_squash. Then reboot it manually.

Once the machine has rebooted, mount the partition again.

11. Once mounted, get a copy of the victim’s machine local shell and change the ownership and SID to the root one.

On my local machine, as ‘root’:

  

On the victim's machine:

There are multiple backdoors in old operating systems. But when it comes to modern OS this is kind of difficult hard. Even not possible. This is just a one method u can breach through