This post documents the complete walkthrough of FourAndSix: 2.01, a boot2root VM created by Fred, and hosted at VulnHub. If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

Although there’s no description for this VM, except for “to become root and read /root/flag.txt “, the name alone is interesting. FourAndSix is the homophone for forensic—expect fun challenges ahead.

Information Gathering

Let’s start with a nmap scan to establish the available services in the host.

# nmap -n -v -Pn -p- -A --reason -oN nmap.txt 192.168.30.129 ... PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 64 OpenSSH 7.9 (protocol 2.0) | ssh-hostkey: | 2048 ef:3b:2e:cf:40:19:9e:bb:23:1e:aa:24:a1:09:4e:d1 (RSA) | 256 c8:5c:8b:0b:e1:64:0c:75:c3:63:d7:b3:80:c9:2f:d2 (ECDSA) |_ 256 61:bc:45:9a:ba:a5:47:20:60:13:25:19:b0:47:cb:ad (ED25519) 111/tcp open rpcbind syn-ack ttl 64 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100003 2,3 2049/tcp nfs | 100003 2,3 2049/udp nfs | 100005 1,3 809/tcp mountd |_ 100005 1,3 997/udp mountd 809/tcp open mountd syn-ack ttl 64 1-3 (RPC #100005) 2049/tcp open nfs syn-ack ttl 64 2-3 (RPC #100003)

There’s nothing to explore except for NFS at 2049/tcp . We’ll start with that.

Network File System

As usual, when it comes to NFS we’ll use showmount to view the NFS exports from the VM.

Let’s mount that.

It appears a 7z archive file is in the directory. Let’s download the file and extract it.

It’s a 7z archive file alright, but it’s password-protected.

John the Ripper

Let’s see if John the Ripper can crack the password.

Awesome. The password is chocolate .

Now, what do we have here?

A RSA key pair for SSH access.

If I had to guess, I would say there’s a /home/user/.ssh/authorized_keys and the content is as follows.

Low-Privilege Shell

Let’s see if we can log in to the host with the private key.

Another password to crack?

Long story short, I’ve tried John the Ripper and it’s no good. Let’s write a simple password cracker in bash , with ssh-keygen as the main driver for password verification.

brute.sh

#!/bin/bash FILE = $1 PASSWORD = $2 COMMENT = [email protected] die () { for pid in $( ps aux \ | grep -v grep \ | grep 'parallel' \ | awk '{ print $2 }' ) ; do kill -9 $pid &>/dev/null done } if ssh-keygen -c -C " $COMMENT " -P " $PASSWORD " -f " $FILE " &>/dev/null ; then echo "Password is ' $PASSWORD '" | tee found.txt die fi

Let’s make use of parallel to split the job among my four vCPUs like so.

Whoa. It’s faster than I can blink my eye.

Time to log in.

There you have it.

Privilege Escalation

During enumeration of the user account, I notice the account is in the wheel group. Essentially, this is the superuser group; root is also in this group.

With that in mind, let’s check out /etc/doas.conf , a sudo alternative.

What do we have here? We can run less as root ? I smell “escape to shell”.

Enter v to escape to vi , and then !sh to escape to shell. It’s that simple.

What’s the Flag?

Getting the flag is trivial when you have a root shell.

Afterthought

To be honest, Fred reminds me of the FRED Forensic Workstation from Digital Intelligence I used to play with years ago. It’s still nice to dabble in OpenBSD once in a while.