VulnHub: HACKLAB: VULNIX

Link: https://www.vulnhub.com/entry/hacklab-vulnix,48/

Enumeration

  1. Network discovery

My target is 10.0.2.41.

2. Port scan

NOTE: The IP address in the snapshot is my old VM, 10.0.2.35. However, the scan result is the same as 10.0.2.41.

3. OS and service scan

There’re many open ports. In summary, there’re 5 services: SSH, SMTP-related, finger, netkit-rsh, and NFS-related.

4. Vuln scan

The result is not useful to me right now.

5. SSH

No any banner.

6. Finger

Finger can be used to enumerate usernames. I used this list:

And this script:

I got 2 usernames: root and user.

7. NFS

I got a mountable directory.

Let’s mount it

Permission denied

Verify permssion

It belongs to vulnix.

Create fake user

Since the directory is /home/vulnix. I can create ssh key-pair and use it to login as vulnix to the target machine via opened SSH service.

Copy the key

Now I got the SSH shell.

Privilege Escalation

  1. Directory enumeration

I found nothing in

2. LinEnum.sh

Prepare attacker machine to be file server

Download to target machine

I found this interesting.

Verify sudo

I can edit /etc/exports.

3. edit /etc/exports

This file is related to the NFS service. I can add /root directory and mount it from the target machine.

Add this line

Save and restart the target machine.

Scan again

Now, I can mount /root.

Mount /root

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store