So I was poking around VulnHub for a new VM to work on and I came across Vulnix… Here is how I got root!
Found ssh credentials.
Tried to login as User with the password “letmein”
We get access to user.
We also can see that this system is using rservices more specifically rlogin (We had a pretty good idea that this was the case with our original port scan showing port 513 being opened.)
Added wildcard + + to allow anybody to login with no password as user.
Rlogin appears to be working as expected!
Looks like along with “user” there is a user called “Vulnix”
Enumerator also found an NFS share with rw access to /home/vulnix
Created a .rhosts file with + + and uploaded it to the NFS share… (make sure to chmod 0600 .rhosts)
Now we have access as Vulnix!
Sudo -l shows us that vulnix can sudoedit /etc/exports
Lets add a line to allow us to mount /root with no_root_squash permissions.
***Must reboot machine to get NFS service to restart***
(This is because User and Vulnix cannot reboot the system. I will say I struggled with this part not knowing if I should be rebooting the box as part of my attack, but after finishing it I verified from the creators writeup that they also had to reboot.)
Created new DIR called .ssh in /root
Created, and uploaded public, and private keys for ssh.
Also created and uploaded an authorized_keys file with my public key in it.
(You may notice I messed up here, and created the ssh keys on the Vulnix VM instead of on my box. So I used scp to copy them from /home/vulnix/.ssh/ to /tmp on my box. I was running nfspysh from /tmp on my box so I could now upload them to /root/.ssh/ on Vulnix.)
Used ssh to connect as root which used my public key for access!