Dina: CTF walkthrough
Name: Dina: 1
Date release: 10 Jul 2017
Contact: touhidshaikh22 [at] gmaill [dot] com
VM link: https://drive.google.com/open?id=0B1qWCgvhnTXgNUF6Rlp0c3Rlb0k
Note, the link to download the virtual system on VulnHub is not up to date. If you want to finish this CTF you have to download it from this link. Thanks for Touhid who provide me the good link after an short communication via emails.
We retrieve the IP of the system.
Let’s scan this system with nmap.
Port 80 seems to be the only usable service.
According to the robots.txt file we have a directory called nothing and the index of this directory contains passwords. We will use them later.
We can find another interesting directory: secure, with the gobuster tool.
In this directory we can download a password protected ZIP file. Fortunately for us, previously found passwords can allow us to unzip this file.
This is not a real MP3 file, just a text file with an hint for the next step.
We gain access to the admin panel of the playSMS web application with this following credentials.
Related to this exploit (from VM author), we can execute PHP code if we change the name of the uploaded file via Burp Suite.
We generate an msfvenom Linux reverse shell.
Note, in order to bypass bad characters we will use base64 encoding. Here you have the commands that will be use.
We upload our reverse shell on Dina.
Finally, we execute our reverse shell in order to gain a low privilege shell.
Let’s see what we can do with our user.
Nice, we are able to execute any kind of perl code with root privileges.
We can use a one-liner Perl reverse shell command to gain a root reverse shell.