This is my writeup for Vulnix VM.

Step 1 – Find out Vulnix IP

Since all devices are on my home Wifi network, I run a quick netdiscover scan. The machine is at

Step 2 – Enumerate the IP to find out open ports, service version, OS etc..

This provides the following attack surface:

  • Port 22 – OpenSSH 5.9p1 Debian 5ubuntu1
  • Port 25 – Postfix smtpd
  • Port 79 – Linux fingerd
  • Port 110 – pop3
  • Port 111 – rpcbind
  • Port 143 – Dovecot
  • Ports 512,513,514 – rservices
  • Port 993,995 – Dovecot
  • Port 2049 – NFS
  • Ports 32837, 33659,39583,42173,55978
  • OS – Linux 2.6.32 – 3.10

Step 3 – Enumerating finger service port

Step 4 – Enumerating SMTP

3 user ID’s found; root, vulnix, user

Step 5 – Attempting bruteforce attack

Credentials found user / letmein

Step 6 – Accessing using SSH with the credentials noted and attempting privilege escalation

Checking NFS service and mounting the exported directory. A local user vulnix was also created with uid 2008

New SSH key generated locally

Public key written to home directory of vulnix user

Faced some issues while using SSH but was finally able to find a solution and logged in as user vulnix

User vulnix is permitted to modify /etc/exports file as root user

Modifying the file

The VM needs to be manually restarted, a copy of bash shell is made in home directory of vulnix user and using root account locally the permissions are modified. The shell is then executed to obtain root access !!



Leave a Reply

Your email address will not be published. Required fields are marked *