FourAndSix: 2 is the sequel for previously solved vulnerable machine FourAndSix by Fred uploaded on vulnhub. It is not mandatory but is advised to read the prequel of this labhere. You can download the FourAndSix:2 vulnerable lab from here . The challenge is to become root and read flag.txt in the same directory.
Table of contents:Discovery of IP address. Scanning for open ports and services. Discovering universally accessible directory in victim’s machine. Cracking the password of archive found in storage partition. Reading the pub file and logging in using ssh. Discovering utilities with sticky bit on them. Using doas to get root. Snagging the flag! Let’s get started then.
First step is, as usual, to find the IP of the target machine. In this case it is 192.168.1.103
Next we discover open ports and services using nmap. The ports open were 22, 111, 2049.
There was only one way to proceed and that is port 2049. So, we used showmount command to check for nfs shared partitions.
Later, we mounted it under the folder name “raj” using the mount command. And we found a 7z compressed file.showmount -e 192.168.1.103 mount -t nfs 192.168.1.103:/home/user/storage raj
But the file “backup.7z” was unfortunately password protected.
So, after trying out a number of options like John The Ripper and etc. and getting zero success, we found a site online to break it’s password.
The password was found to be: chocolate
We extracted its contents in the same folder and found a few images along with RSA keys. As port 22 is running SSH service on the target machine, we can use RSA private key to login. We open RSA public key to take a look at the username.cat id_rsa.pub
We tried logging in to ssh but it was asking for a passphrase. So, we created the following script to find the correct password.cat /usr/share/wordlists/metasploit/adobe_top100_pass.txt | while read pass; do if ssh-keygen c C “user@forandsix” P $pass f id_rsa &>/dev/null; then echo $pass; break; fi; done
From the id_rsa.pub file we found the user for the secure shell of victim and logged in to it. The password was: “12345678”.ssh -i id_rsa email@example.com
We used the find utility to discover files or packages with suid bit set on them.find / -perm u=s type f 2>/dev/null
We found an interesting utility with suid bit: /usr/bin/doas which is an alternate to sudo.
After reading the “doas.conf” file, we find that “less” can be run as root.
Let’s pick the configuration file and try to understand it word by word. Doas utility executes commands as other users according to the rules in doas.conf configuration file.
Permit/Deny:allows the rule.
Nopass:user is not required to enter any password.
Persist:After the user successfully authenticates, do not ask for a password again for some time.
Keepenv:The user’s environment is maintained.
Cmd:command is allowed to run.
Since, doas configuration file says that less can be run with no password at all as root with no password, it can be used for shell escaping.doas /usr/bin/less /var/log/authlog
Enter v to escape to vi and then “!sh” to escape to our brand new shell.
The final step was to snag the flag! It was in root directory as told by the creator of the VM.
Id shows that the shell is root shell and finally we read the congratulatory flag using cat!
So this was how we root the FourAndSix:2. Hope you liked it.
Author: Harshit Rajpalis an InfoSec researcher and a left and right brain thinker. contact here