alialiy4ri
De-Anonymization Specialist
LEVEL 1
100 XP
DomDom is another CTF challenge based on PHP mis-functionality and credit goes to Avraham Cohen for designing this VM. Here you need to identify bug to get reverse shell connection of the machine and try to access root shell. This VM can be downloaded from given below link and its level is set to easy for beginners.
Download Link: https://www.vulnhub.com/entry/domdom-1,328/
Penetration Testing Methodology
Scanning
Enumeration
Exploit
Privilege Escalation
Walkthrough
Scanning
Let’s start off with the scanning process. This target VM took the IP address of 192.168.1.135 automatically from our local Wi-Fi network.
Then we used Nmap for port enumeration. We found that port 80 is open for running http services.
Taking our manual penetrating approach ahead we navigate to a web browser and explore VM IP in the URL filed. It welcomed us with a login form as shown below in the image.
So, we just simply type the following and then click on the execute tab:
Your Name: admin
Your Username: admin
Password: admin
Since we didn’t find any clue to step ahead, therefore, we choose dirb for web directory enumeration. So, when I execute the below command, I found two URL with 200 OK code.
So when we had explored /admin.php it gave me us a hint to dig more to identify the action being used here.
So again I explore http://192.168.1.35 and intercept its data within the burp suite and then send the intercepted data into repeater to identify what action is being executed.
So, I forward the intercepted data into the repeater and at the initial phase, it captures the POST request for /index.php but inside repeater, we have changed the Post request from /index.php to /admin.php to identify the action.
Wow!! From its response, we found an in-built script which is executing the command.
To ensure the backend functionality, we try to send the request to execute “id” command and obtain the desired result as expected hence it is confirmed that it was vulnerable to Remote Code Execution.
Hence, I found the path where once can execute the malicious code or inject the malicious file inside the host machine to get the reverse connection machine.
Therefore, I grabbed a malicious file “php-reverse-shell” from inside /usr/share/webshells/php and modify the listening i.e. Kali Linux IP and named it backdoor.php.
Further, I try to inject our backdoor.php file inside the host machine and gave full permission to the malicious php file as shown in the image given below, further launch netcat listener in a new terminal to get the reverse connection.
Now, once the file gets uploads successfully, we need to execute the malicious file as highlighted below.
As soon as you will execute the malicious file you get reverse shell through netcat. So, as you can observe that we have netcat session thus now we can step ahead for privilege escalation.
At this point, I was not sure what should be done to extract hidden flag, therefore, I thought to identify the binary capability files with the help of getcap and saw the fruitful result.
On exploring further we found README.md from inside/home/domom/Desktop which is owned by root.
As we have seen in the above image that “/bin/tar” has the capabilities to compress the file. It can manipulate its process UID and can be used on Linux as a backdoor to maintain elevated privileges with the CAP_SETUID capability set therefore I trigger the following command which will generate the .tar README.md inside /tmp directory
when you will execute the above command, it will generate readme.tar file inside /tmp directory which could be extracted further to read README.md file.
Great!! From inside this file, we have obtained the password for user “root” thus switch into root account with the help of password found and access the root shell.
Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
Download Link: https://www.vulnhub.com/entry/domdom-1,328/
Penetration Testing Methodology
Scanning
- Identify running service & open Ports (Nmap)
Enumeration
- Web Directories (DIRB)
- Vulnerable to RCE (Burp Suite)
Exploit
- Upload backdoor (PHP reverse shell)
- Spawn shell (netcat session)
Privilege Escalation
- Abusing Capability Permission
- Spawn root shell
Walkthrough
Scanning
Let’s start off with the scanning process. This target VM took the IP address of 192.168.1.135 automatically from our local Wi-Fi network.
Then we used Nmap for port enumeration. We found that port 80 is open for running http services.
Code:
nmap -A 192.168.1.35Taking our manual penetrating approach ahead we navigate to a web browser and explore VM IP in the URL filed. It welcomed us with a login form as shown below in the image.
So, we just simply type the following and then click on the execute tab:
Your Name: admin
Your Username: admin
Password: admin
Since we didn’t find any clue to step ahead, therefore, we choose dirb for web directory enumeration. So, when I execute the below command, I found two URL with 200 OK code.
Code:
dirb http://192.168.1.35So when we had explored /admin.php it gave me us a hint to dig more to identify the action being used here.
So again I explore http://192.168.1.35 and intercept its data within the burp suite and then send the intercepted data into repeater to identify what action is being executed.
So, I forward the intercepted data into the repeater and at the initial phase, it captures the POST request for /index.php but inside repeater, we have changed the Post request from /index.php to /admin.php to identify the action.
Wow!! From its response, we found an in-built script which is executing the command.
To ensure the backend functionality, we try to send the request to execute “id” command and obtain the desired result as expected hence it is confirmed that it was vulnerable to Remote Code Execution.
Hence, I found the path where once can execute the malicious code or inject the malicious file inside the host machine to get the reverse connection machine.
Therefore, I grabbed a malicious file “php-reverse-shell” from inside /usr/share/webshells/php and modify the listening i.e. Kali Linux IP and named it backdoor.php.
Further, I try to inject our backdoor.php file inside the host machine and gave full permission to the malicious php file as shown in the image given below, further launch netcat listener in a new terminal to get the reverse connection.
Now, once the file gets uploads successfully, we need to execute the malicious file as highlighted below.
As soon as you will execute the malicious file you get reverse shell through netcat. So, as you can observe that we have netcat session thus now we can step ahead for privilege escalation.
At this point, I was not sure what should be done to extract hidden flag, therefore, I thought to identify the binary capability files with the help of getcap and saw the fruitful result.
Code:
nc -lvp 1234
whoami
getcap -r / 2>/dev/nullOn exploring further we found README.md from inside/home/domom/Desktop which is owned by root.
As we have seen in the above image that “/bin/tar” has the capabilities to compress the file. It can manipulate its process UID and can be used on Linux as a backdoor to maintain elevated privileges with the CAP_SETUID capability set therefore I trigger the following command which will generate the .tar README.md inside /tmp directory
Code:
cd /tmp
tar -cvf readme.tar /home/domom/Desktop/README.mdwhen you will execute the above command, it will generate readme.tar file inside /tmp directory which could be extracted further to read README.md file.
Code:
tar -xvf readme.tar
cat tar /home/domom/Desktop/README.mdGreat!! From inside this file, we have obtained the password for user “root” thus switch into root account with the help of password found and access the root shell.
Code:
su rootAuthor: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here