{"id":83,"date":"2017-10-20T02:00:34","date_gmt":"2017-10-20T02:00:34","guid":{"rendered":"http:\/\/hackerintent.co.nf\/?p=83"},"modified":"2017-10-20T02:00:34","modified_gmt":"2017-10-20T02:00:34","slug":"vulnix-ctf","status":"publish","type":"post","link":"https:\/\/takeondevops.com\/?p=83","title":{"rendered":"Vulnix CTF"},"content":{"rendered":"

Firstly, we must download and extract the given Box named \u2018Vulnix\u2019 and set up the network configurations, so as to make sure that the Vulnix Box and our Kali box are on the same network. Once that is done, we must start both VMs.<\/p>\n

Identifying the victim machines IP<\/h3>\n

In order to identify which IP, we need to be penetrating, we can issue the command, netdiscover -r
\nin our case it is :netdiscover -r 192.168.1.0\/24<\/code>
\n
\nNow, by the MAC Address of the machine, we can tell that our Victim\u2019s IP is 192.168.1.5 (MAC address of devices could be found using Virtual Box).<\/p>\n

Next we need to do a port scanning to identify the open ports that we can use<\/h3>\n

nmap -p -Ss- -A
\nIn our case it is :nmap -p -Ss- -A 192.168.1.5<\/code>
\n
\n
\nNotable ports found : SSH, SMTP, Finger, RSH<\/p>\n

Our next task is to find the users of the Vulnix box<\/h3>\n

In order to do this, we issue the command,
\nsmtp-user-enum -M VRFY -U \/usr\/share\/metasploit-framework\/data\/wordlists\/unix_users.txt -t 192.168.1.5<\/code>
\n<\/p>\n

We can now use the finger command to reveal more user details<\/h3>\n

Command is : finger @
\nIn our case, we just need to verify whether 2 of the above users are valid. users: user and vulnix
\nSo our commands would be,
\nfinger user@192.168.1.5 finger vulnix@192.168.1.5
\n<\/p>\n

NFS enumeration<\/h3>\n

We can try to mount a NFS directory to find some useful information. The following commands were run to mount such directory.
\n<\/p>\n

We can run a brute force against the user:\u2019user\u2019 to try to get the password.<\/h3>\n

<\/p>\n

Now we can SSH into the Vulnix VM as user and gather information about the user, \u2018vulnix\u2019<\/h3>\n

Afterwards we create a user in our system by the name \u2018vulnix\u2019 to access the mounted directory.
\n<\/p>\n

Generating SSH key pairs & copying the public key of our VM into the authorized keys of vulnix.<\/h3>\n


\nNow we can ssh to the vulnix machine as follows
\n<\/p>\n

Our next objective is privilege escalation<\/h3>\n

This can be done by editing the \/etc\/export
\n
\nNow we must reboot the Vulnix Box so that the changes can take effect.Then we will need to mount the NFS directory as earlier<\/p>\n

Next we will be copying \/bin\/bash to Vulnix in order to gain access.<\/h3>\n

<\/p>\n

Finally we can login as vulnix and run the copied file to gain root access of Vulnix and capture the flag.<\/h3>\n


\nThere seemed to be a problem when executing the bash file. When I looked it up on the internet, I figured out that this was due to my VM being in the Kali VM was a 64bit and the target VM was on 32 bit. Hence, I installed Kali32bit and started all over. (Note the IP address change is due to this change of VMs). Finally by copying the bash file and executing it as vulnix user, I was able to gain root access and capture the flag.
\n<\/p>\n","protected":false},"excerpt":{"rendered":"

Firstly, we must download and extract the given Box named \u2018Vulnix\u2019 and set up the network configurations, so as to make sure that the Vulnix Box and our Kali box are on the same network. Once that is done, we must start both VMs. Identifying the victim machines IP In order to identify which IP, […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","footnotes":""},"categories":[2,5],"tags":[],"class_list":["post-83","post","type-post","status-publish","format-standard","hentry","category-ctf","category-infosec"],"yoast_head":"\nVulnix CTF - Take On Devops<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/takeondevops.com\/?p=83\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Vulnix CTF - Take On Devops\" \/>\n<meta property=\"og:description\" content=\"Firstly, we must download and extract the given Box named \u2018Vulnix\u2019 and set up the network configurations, so as to make sure that the Vulnix Box and our Kali box are on the same network. Once that is done, we must start both VMs. Identifying the victim machines IP In order to identify which IP, […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/takeondevops.com\/?p=83\" \/>\n<meta property=\"og:site_name\" content=\"Take On Devops\" \/>\n<meta property=\"article:published_time\" content=\"2017-10-20T02:00:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/farm5.staticflickr.com\/4494\/37538694310_4cdf3f5224_b.jpg\" \/>\n<meta name=\"author\" content=\"ihsan izwer\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ihsan izwer\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/takeondevops.com\\\/?p=83#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/takeondevops.com\\\/?p=83\"},\"author\":{\"name\":\"ihsan izwer\",\"@id\":\"https:\\\/\\\/takeondevops.com\\\/#\\\/schema\\\/person\\\/465f2fb632235eb4079002754cd66aeb\"},\"headline\":\"Vulnix CTF\",\"datePublished\":\"2017-10-20T02:00:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/takeondevops.com\\\/?p=83\"},\"wordCount\":463,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/takeondevops.com\\\/?p=83#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/farm5.staticflickr.com\\\/4494\\\/37538694310_4cdf3f5224_b.jpg\",\"articleSection\":[\"CTF\",\"InfoSec\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/takeondevops.com\\\/?p=83#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/takeondevops.com\\\/?p=83\",\"url\":\"https:\\\/\\\/takeondevops.com\\\/?p=83\",\"name\":\"Vulnix CTF - Take On Devops\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/takeondevops.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/takeondevops.com\\\/?p=83#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/takeondevops.com\\\/?p=83#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/farm5.staticflickr.com\\\/4494\\\/37538694310_4cdf3f5224_b.jpg\",\"datePublished\":\"2017-10-20T02:00:34+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/takeondevops.com\\\/#\\\/schema\\\/person\\\/465f2fb632235eb4079002754cd66aeb\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/takeondevops.com\\\/?p=83#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/takeondevops.com\\\/?p=83\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/takeondevops.com\\\/?p=83#primaryimage\",\"url\":\"https:\\\/\\\/farm5.staticflickr.com\\\/4494\\\/37538694310_4cdf3f5224_b.jpg\",\"contentUrl\":\"https:\\\/\\\/farm5.staticflickr.com\\\/4494\\\/37538694310_4cdf3f5224_b.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/takeondevops.com\\\/?p=83#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/takeondevops.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Vulnix CTF\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/takeondevops.com\\\/#website\",\"url\":\"https:\\\/\\\/takeondevops.com\\\/\",\"name\":\"Take On Devops\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/takeondevops.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/takeondevops.com\\\/#\\\/schema\\\/person\\\/465f2fb632235eb4079002754cd66aeb\",\"name\":\"ihsan izwer\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/c82c3d13c92d77259746074978cb7d498778b44914dea60ad0367dec237c349f?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/c82c3d13c92d77259746074978cb7d498778b44914dea60ad0367dec237c349f?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/c82c3d13c92d77259746074978cb7d498778b44914dea60ad0367dec237c349f?s=96&d=mm&r=g\",\"caption\":\"ihsan izwer\"},\"url\":\"https:\\\/\\\/takeondevops.com\\\/?author=3\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Vulnix CTF - Take On Devops","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/takeondevops.com\/?p=83","og_locale":"en_US","og_type":"article","og_title":"Vulnix CTF - Take On Devops","og_description":"Firstly, we must download and extract the given Box named \u2018Vulnix\u2019 and set up the network configurations, so as to make sure that the Vulnix Box and our Kali box are on the same network. Once that is done, we must start both VMs. Identifying the victim machines IP In order to identify which IP, […]","og_url":"https:\/\/takeondevops.com\/?p=83","og_site_name":"Take On Devops","article_published_time":"2017-10-20T02:00:34+00:00","og_image":[{"url":"https:\/\/farm5.staticflickr.com\/4494\/37538694310_4cdf3f5224_b.jpg","type":"","width":"","height":""}],"author":"ihsan izwer","twitter_card":"summary_large_image","twitter_misc":{"Written by":"ihsan izwer","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/takeondevops.com\/?p=83#article","isPartOf":{"@id":"https:\/\/takeondevops.com\/?p=83"},"author":{"name":"ihsan izwer","@id":"https:\/\/takeondevops.com\/#\/schema\/person\/465f2fb632235eb4079002754cd66aeb"},"headline":"Vulnix CTF","datePublished":"2017-10-20T02:00:34+00:00","mainEntityOfPage":{"@id":"https:\/\/takeondevops.com\/?p=83"},"wordCount":463,"commentCount":0,"image":{"@id":"https:\/\/takeondevops.com\/?p=83#primaryimage"},"thumbnailUrl":"https:\/\/farm5.staticflickr.com\/4494\/37538694310_4cdf3f5224_b.jpg","articleSection":["CTF","InfoSec"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/takeondevops.com\/?p=83#respond"]}]},{"@type":"WebPage","@id":"https:\/\/takeondevops.com\/?p=83","url":"https:\/\/takeondevops.com\/?p=83","name":"Vulnix CTF - Take On Devops","isPartOf":{"@id":"https:\/\/takeondevops.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/takeondevops.com\/?p=83#primaryimage"},"image":{"@id":"https:\/\/takeondevops.com\/?p=83#primaryimage"},"thumbnailUrl":"https:\/\/farm5.staticflickr.com\/4494\/37538694310_4cdf3f5224_b.jpg","datePublished":"2017-10-20T02:00:34+00:00","author":{"@id":"https:\/\/takeondevops.com\/#\/schema\/person\/465f2fb632235eb4079002754cd66aeb"},"breadcrumb":{"@id":"https:\/\/takeondevops.com\/?p=83#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/takeondevops.com\/?p=83"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/takeondevops.com\/?p=83#primaryimage","url":"https:\/\/farm5.staticflickr.com\/4494\/37538694310_4cdf3f5224_b.jpg","contentUrl":"https:\/\/farm5.staticflickr.com\/4494\/37538694310_4cdf3f5224_b.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/takeondevops.com\/?p=83#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/takeondevops.com\/"},{"@type":"ListItem","position":2,"name":"Vulnix CTF"}]},{"@type":"WebSite","@id":"https:\/\/takeondevops.com\/#website","url":"https:\/\/takeondevops.com\/","name":"Take On Devops","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/takeondevops.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/takeondevops.com\/#\/schema\/person\/465f2fb632235eb4079002754cd66aeb","name":"ihsan izwer","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/c82c3d13c92d77259746074978cb7d498778b44914dea60ad0367dec237c349f?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/c82c3d13c92d77259746074978cb7d498778b44914dea60ad0367dec237c349f?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c82c3d13c92d77259746074978cb7d498778b44914dea60ad0367dec237c349f?s=96&d=mm&r=g","caption":"ihsan izwer"},"url":"https:\/\/takeondevops.com\/?author=3"}]}},"jetpack_featured_media_url":"","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/takeondevops.com\/index.php?rest_route=\/wp\/v2\/posts\/83","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/takeondevops.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/takeondevops.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/takeondevops.com\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/takeondevops.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=83"}],"version-history":[{"count":0,"href":"https:\/\/takeondevops.com\/index.php?rest_route=\/wp\/v2\/posts\/83\/revisions"}],"wp:attachment":[{"href":"https:\/\/takeondevops.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=83"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/takeondevops.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=83"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/takeondevops.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=83"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}