Firstly, we must download and extract the given Box named ‘Vulnix’ and set up the network configurations, so as to make sure that the Vulnix Box and our Kali box are on the same network. Once that is done, we must start both VMs.
Identifying the victim machines IP
In order to identify which IP, we need to be penetrating, we can issue the command, netdiscover -r
in our case it is :netdiscover -r 192.168.1.0/24
Now, by the MAC Address of the machine, we can tell that our Victim’s IP is 192.168.1.5 (MAC address of devices could be found using Virtual Box).
Next we need to do a port scanning to identify the open ports that we can use
nmap -p -Ss- -A
In our case it is :nmap -p -Ss- -A 192.168.1.5
Notable ports found : SSH, SMTP, Finger, RSH
Our next task is to find the users of the Vulnix box
In order to do this, we issue the command,
smtp-user-enum -M VRFY -U /usr/share/metasploit-framework/data/wordlists/unix_users.txt -t 192.168.1.5
We can now use the finger command to reveal more user details
Command is : finger @
In our case, we just need to verify whether 2 of the above users are valid. users: user and vulnix
So our commands would be,
finger user@192.168.1.5 finger vulnix@192.168.1.5
NFS enumeration
We can try to mount a NFS directory to find some useful information. The following commands were run to mount such directory.
We can run a brute force against the user:’user’ to try to get the password.
Now we can SSH into the Vulnix VM as user and gather information about the user, ‘vulnix’
Afterwards we create a user in our system by the name ‘vulnix’ to access the mounted directory.
Generating SSH key pairs & copying the public key of our VM into the authorized keys of vulnix.
Now we can ssh to the vulnix machine as follows
Our next objective is privilege escalation
This can be done by editing the /etc/export
Now we must reboot the Vulnix Box so that the changes can take effect.Then we will need to mount the NFS directory as earlier
Next we will be copying /bin/bash to Vulnix in order to gain access.
Finally we can login as vulnix and run the copied file to gain root access of Vulnix and capture the flag.
There seemed to be a problem when executing the bash file. When I looked it up on the internet, I figured out that this was due to my VM being in the Kali VM was a 64bit and the target VM was on 32 bit. Hence, I installed Kali32bit and started all over. (Note the IP address change is due to this change of VMs). Finally by copying the bash file and executing it as vulnix user, I was able to gain root access and capture the flag.
