HackLab – Vulnix

So I was poking around VulnHub for a new VM to work on and I came across Vulnix…  Here is how I got root!



Found ssh credentials.

Tried to login as User with the password “letmein”

We get access to user.

We also can see that this system is using rservices more specifically rlogin (We had a pretty good idea that this was the case with our original port scan showing port 513 being opened.)

Added wildcard + + to allow anybody to login with no password as user.

Rlogin appears to be working as expected!

Looks like along with “user” there is a user called “Vulnix”

Enumerator also found an NFS share with rw access to /home/vulnix

Created a .rhosts file with + + and uploaded it to the NFS share… (make sure to chmod 0600 .rhosts)

Now we have access as Vulnix!

Getting Root:

Sudo -l shows us that vulnix can sudoedit /etc/exports

Lets add a line to allow us to mount /root with no_root_squash permissions.

***Must reboot machine to get NFS service to restart***
(This is because User and Vulnix cannot reboot the system.  I will say I struggled with this part not knowing if I should be rebooting the box as part of my attack, but after finishing it I verified from the creators writeup that they also had to reboot.)

Created new DIR called .ssh in /root

Created, and uploaded public, and private keys for ssh.

Also created and uploaded an authorized_keys file with my public key in it.

(You may notice I messed up here, and created the ssh keys on the Vulnix VM instead of on my box.  So I used scp to copy them from /home/vulnix/.ssh/ to /tmp on my box. I was running nfspysh from /tmp on my box so I could now upload them to /root/.ssh/ on Vulnix.)



































Used ssh to connect as root which used my public key for access!




trophy.txt file!

2 thoughts on “HackLab – Vulnix

  • How come if i use mount rather nfspysh it let me to mount it but not to browse it ?

    root@kali:/tmp# mount -t nfs /tmp2/
    root@kali:/tmp# cd /tmp2
    -bash: cd: /tmp2: Permission denied
    root@kali:/tmp# nfspysh -o server= /tmp2/
    nfspy@> ls
    040700 2008 2008 4096 2015-05-09 21:31:02 .cache
    040750 2008 2008 4096 2015-05-10 10:11:59 .
    100644 2008 2008 220 2012-04-03 16:58:14 .bash_logout
    120777 2008 2008 5 2015-05-10 10:11:59 root -> /root
    100644 2008 2008 675 2012-04-03 16:58:14 .profile
    100600 2008 2008 325 2015-05-09 22:09:41 .bash_history
    040750 2008 2008 4096 2015-05-10 10:11:59 ..
    100644 2008 2008 3486 2012-04-03 16:58:14 .bashrc
    100644 2008 2008 4 2015-05-09 21:30:57 .rhosts


Leave a Reply

Your email address will not be published. Required fields are marked *

The opinions and thoughts on this blog are those of Overflow Security members, and do not reflect those of our members employers.