There are several ways to gain root access in Vulnix (release 1.0). Here I shall discuss a variety of methods, although this is in no way a conclusive list.
Assuming you’ve located the IP address, you can run a port scan and will find the following services listening (shortened for easy reference):
- 22/tcp open ssh
- 25/tcp open smtp
- 79/tcp open finger
- 110/tcp open pop3
- 111/tcp open rpcbind
- 143/tcp open imap
- 512/tcp open exec
- 513/tcp open login
- 514/tcp open
- 993/tcp open ssl
- 995/tcp open ssl
- 2049/tcp open nfs
The following stages break down the task into enumeration, attack and privilege escalation.
User Enumeration #1 – SMTP
Firstly we’ll telnet into the SMTP server to see if VRFY is enabled, as this will allow us to enumerate users.
telnet %vulnix_ip_address% 25
You should see the following response:
The user ‘vulnix’ seems to exist (252 response) and by entering another name, in this case ‘thisusercannotexist’ we see that we’re given a 550 response and informed that the user is unknown.
It’s been proven that VRFY methods are implemented so we could quickly enumerate users by using a script such as smtp-user-enum or by using an auxiliary module within Metasploit etc.