Writeup READY CTF Machine | Vulnyx Platform

Download and virtualization of the machine.

On this platform the machines are downloaded in OVA format for VirtualBox virtualization software. Once downloaded, it is decompressed and imported to run the virtualization of the machine and work with it in a local network.

Recognition of services exposed to the network.

The first thing is to know the ip of the device/machine. This section is not necessary because as you can see in the previous image, it is available at machine startup.

Now I proceed with the methodology of enumeration of services exposed to the network through ports, for this I use nmap with a first quick scan and once I know the open ports, I perform a scan with more aggressive parameterization to extract information and version of the services found.

Conclusions of the enumeration.

I get a web service with the default template of the apache web server manager, a proxy server also managed by apache, a ssh network application and a REDIS service.





After fuzzing the two web services and checking the ssh network location, I can't find anything, so I continue the investigation with the REDIS service.

Exploitation of the REDIS service.

I list the version and information with the script and parameter that Nmap provides for the Redis service.

The steps to follow to enumerate REDIS are based on testing the remote connection to the service and observing what information and data are stored in memory as well as what commands of the REDIS service itself are available from the user by default without authentication.

From the Redis in-memory information I find nothing interesting so I check the existing RCE vulnerability for this service which is caused by a misconfiguration of permissions when creating directories and file extensions.

I check if this PHP file that I have added to the directory has worked and indeed, I get RCE through the web server but in the one that is mounted with proxy, important detail since, it does not work in the normal web server.

I use netcat to generate a reverseshell and get a remote shell on the victim server.

And here I can see that the user ben is part of a group (disk) and I remember that there is a way to escalate privileges through the debugging of partitions and disks. (Before seeing this, I have eaten a small rabbit hole by d4t4s3c, the creator of the machine, and I will not comment here so that you can enjoy it as I have done).

Using "debugfs" for the disk from owner root I have access to the whole system inside this binary/cleanup program, I could read the flag from here but that would not be a complete escalation so I decide to read the "id_rsa" credentials found in the /root/.ssh directory to copy them to my machine, crack the protection key and subsequently connect to the victim machine through the SSH application as admin user "root".

To crack the password protection of the id_rsa file I use the "RSAcrack" tool programmed by the same creator of the machine, d4t4s3c, and that you can find in his github repositories.
Link to RSAcrack tool on GitHub.

And finally I give permissions to the id_rsa file to then connect remotely as "root" user through the SSH service, getting access as administrator / full privileged user to the victim system.

Personal Conclusions

An incredible machine and perfect for people who are starting on this beautiful path of cybersecurity and audits, simple but complete, offers great methodologies that force you to look at the details and learn important and basic methods, as well as take a walk through the Redis service, which is found in real environments as well as common proxy servers. In short, a perfect machine to welcome this new platform called Vulnyx, conceived and created by d4t4s3c, a great among the greats and whom I admire a lot for years for all the teachings he has given me selflessly, a unique user of the network without doubt,

See you in the next article