Vulnhub - Cynix
1. Intro
Cynix is a Boot2Root machine. The machine is VirtualBox compatible but can be used in VMWare as well (not tested but it should work). The DHCP will assign an IP automatically. You have to find and read two flags (user and root) which is present in user.txt and root.txt respectively.
You can get a copy of the application here https://www.vulnhub.com/entry/cynix-1,394/
2. The Setup
3. Host Discovery
We begin by trying to locate the IP address of our target. To do this we use nmap with the following command: nmap -sn 192.168.56.0/24
As can be seen from Figure 3, our target is going to be either 192.168.56.100 or 192.168.56.101Having identified our potential targets, we will do a full TCP port scan to identify any open ports and services running using the following command nmap -sS -A -T4 -p- 192.168.56.100-101
As can be seen from Figure 4, there is nothing running on 192.168.56.100 therefore our Cynix box more than likely has IP 192.168.56.101 with services running on port 80 and 6688.
4. Service Enumeration
As seen in Figure 4, our host is running an Apache webserver on port 80 and an ssh server on port 6688.
As can be seen from Figure 5, after browsing to the 192.168.56.101 we are met with an Apache2 default page. Next we continue this with a directory brute force attack using the following command:
NOTE: Multiple dictionaries were used before finding one containing a valid directory
Browsing to the lavalamp directory we are met with a web page as shown in Figure 7. After doing a bit of digging and reviewing intercepted requests and responses we see that the contact form makes a post request to another page - Figure 8, Figure 9.
Reviewing the response to that same request we notice a hidden form with opacity 0:0 inside the web page.
This provides no additional security and is more of a nuisance than anything else. Using burp we can create a quick rule to replace any response body containing opacity: 0:0; with opacity: 1:0;
Filling out the contact form again we notice that this time the form is visible as opposed to hidden.
After we enter an integer and click the download button we are redirected to a new web page - Figure 13.
Next we provide some sample text to both boxes and review the request and response to gain a better idea of what is happening in the background:
As can be seen from Figure 14, the application posts two variables - file and read to the server.
5. Local File Inclusion
As can be seen fro Figure 14, the file parameter could indicate the presence of a local file inclusion vulnerability. To test this theory we will replace the original parameter of “file=1 with ““file=../../../etc/passwd” and check our response.
Reviewing the response we see a message informing us that we are not allowed to do that. Indicating that we are on to something we again replace the original parameter of “file=1 with ““file=1../../../etc/passwd” and check our response.
Success! We have successfully found a Local File Inclusion vulnerability. As can be seen from Figure 15 there is a user called ford on the system. Remembering that there was also an ssh service running on the system we decide to check his ssh folder for any private keys.
As can be seen from Figure 16 we have successfully retrieved the private ssh key belonging to Ford
6. Getting Low Priv Shell
Our next step is to attempt to login to the system using that ssh key. First we copy the ssh key into a file - Figure 17
Next we change the file permissions by executing chmod 600 key.
Finally we attempt to login to the system using that key by executing the following command: ssh -i key ford@192.168.56.101 -p 6688
As can be seen from Figure 19 we have successfully obtained a low privilege shell to the system and captured the user.txt flag
7. More Enumeration
Next we run python -m SimpleHTTPserver from out attacking machine in order to be able to download the linux-smart-enumeration tool via ssh.
Next we make the file executable by issuing the command chmod +x lse.sh ,run it and we get the following output:
The piece that we are particularly focused on is the user groups, specifically the lxd group
8. LXD Privilege Escalation
LXD is a root process that carries out actions for anyone with write access to the LXD UNIX socket. It often does not attempt to match the privileges of the calling user - hence we can abuse this to escalate our privileges.
In order to successfully carry out this attack we need to perform the following steps:
Steps to be performed on the attacker machine:
Download build-alpine in your local machine through the git repository.
Execute the script “build -alpine” that will build the latest Alpine image as a compressed file, this step must be executed by the root user.
Transfer the tar file to the host machine
Steps to be performed on the victim machine:
Download the alpine image
Import image for lxd
Initialize the image inside a new container.
Mount the container inside the /root directory
8.1 Steps to be performed on the attacker machine:
Our first step is download and build an Alpine image - Figure 23
Next we need to transfer it to the victim machine - Figure 24.
8.2 Steps to be performed on the victim machine:
Our first step is download the tar file from the attacker pc - Figure 25.
Next we import the image for lxd - Figure 26.
Next we initialise the image inside a new container - Figure 27.
Next we mount the container inside the root directory - Figure 28.
Our final step is to start the new profile and execute a shell - Figure 29.
9. Capturing Root.txt
Having successfully gained a root shell we should now be able to retrieve the root.txt flag:
Last updated