This post documents the complete walkthrough of FourAndSix: 2.01, a boot2root VM created by Fred, and hosted at VulnHub. If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

Although there’s no description for this VM, except for “to become root and read /root/flag.txt, the name alone is interesting. FourAndSix is the homophone for forensic—expect fun challenges ahead.

Information Gathering

Let’s start with a nmap scan to establish the available services in the host.

# nmap -n -v -Pn -p- -A --reason -oN nmap.txt 192.168.30.129
...
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 64 OpenSSH 7.9 (protocol 2.0)
| ssh-hostkey:
|   2048 ef:3b:2e:cf:40:19:9e:bb:23:1e:aa:24:a1:09:4e:d1 (RSA)
|   256 c8:5c:8b:0b:e1:64:0c:75:c3:63:d7:b3:80:c9:2f:d2 (ECDSA)
|_  256 61:bc:45:9a:ba:a5:47:20:60:13:25:19:b0:47:cb:ad (ED25519)
111/tcp  open  rpcbind syn-ack ttl 64 2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3         2049/tcp  nfs
|   100003  2,3         2049/udp  nfs
|   100005  1,3          809/tcp  mountd
|_  100005  1,3          997/udp  mountd
809/tcp  open  mountd  syn-ack ttl 64 1-3 (RPC #100005)
2049/tcp open  nfs     syn-ack ttl 64 2-3 (RPC #100003)

There’s nothing to explore except for NFS at 2049/tcp. We’ll start with that.

Network File System

As usual, when it comes to NFS we’ll use showmount to view the NFS exports from the VM.

dc882f92.png

Let’s mount that.

6e211586.png

It appears a 7z archive file is in the directory. Let’s download the file and extract it.

0c3a639f.png

It’s a 7z archive file alright, but it’s password-protected.

94470663.png

John the Ripper

Let’s see if John the Ripper can crack the password.

ed399ce1.png

Awesome. The password is chocolate.

af920d01.png

Now, what do we have here?

7c027887.png

A RSA key pair for SSH access.

If I had to guess, I would say there’s a /home/user/.ssh/authorized_keys and the content is as follows.

492296c1.png

Low-Privilege Shell

Let’s see if we can log in to the host with the private key.

ef1462cf.png

Another password to crack?

Long story short, I’ve tried John the Ripper and it’s no good. Let’s write a simple password cracker in bash, with ssh-keygen as the main driver for password verification.

brute.sh
#!/bin/bash

FILE=$1
PASSWORD=$2
COMMENT=[email protected]

die() {
  for pid in $(ps aux \
               | grep -v grep \
               | grep 'parallel' \
               | awk '{ print $2 }'); do
    kill -9 $pid &>/dev/null
  done
}

if ssh-keygen -c -C "$COMMENT" -P "$PASSWORD" -f "$FILE" &>/dev/null; then
  echo "Password is '$PASSWORD'" | tee found.txt
  die
fi

Let’s make use of parallel to split the job among my four vCPUs like so.

ff18cb37.png

Whoa. It’s faster than I can blink my eye.

Time to log in.

450f9a71.png

There you have it.

Privilege Escalation

During enumeration of the user account, I notice the account is in the wheel group. Essentially, this is the superuser group; root is also in this group.

With that in mind, let’s check out /etc/doas.conf, a sudo alternative.

d700cafa.png

What do we have here? We can run less as root? I smell “escape to shell”.

0c9faa28.png

Enter v to escape to vi, and then !sh to escape to shell. It’s that simple.

What’s the Flag?

Getting the flag is trivial when you have a root shell.

269ddcd1.png

:dancer:

Afterthought

To be honest, Fred reminds me of the FRED Forensic Workstation from Digital Intelligence I used to play with years ago. It’s still nice to dabble in OpenBSD once in a while.