Dina: 1.0.1 : Walkthrough

After getting target ip, start for port scanning.

So only port 80 is open. Let’s browse the page.

Found nothing on the page.

Try to run “dirb” to get some more directory and page.

After dirb scanning, we got some interesting result. Open the page and start digging around.

On robots.txt we got some directory and those directories are useless but “/nothing” gave us something.

Here it’s saying “NOT FOUND go back” but the source page saying something else.

We got some password list. We can use the in further steps.

Dirb also found another directory that was not listed on robots.txt “/secure”.

We got a “backup.zip” but it is a password protected and we also have some password and password was “freedom”

I used 7z to unzip.

Command:

7z e backup.zip

After unzipping it we got a file which was in “.mp3” format. I tried to play it but it gave error. Then we tried to read that file using “cat”.

So, we found a username “touhid” and an interesting directory “/SecreTSMSgatwayLogin”

Opening that directory returns a web application called PlaySMS.

We don’t have any credentials but we have the username “touhid” and a few more passwords.

1. User: touhid

2. Password: diana

And we are in!

Now let’s search if there are any vulnerabilities for the specific web app with Metasploit.

We used this exploit to exploit the playSMS and filled all the necessary requirements.

Time to exploit and it was successful. We got a meterpreter shell.

And we need some proper shell.

Command:

Python -c ‘import.pty;pty.spawn(“/bin/sh”)’

Running the command “sudo -l” we can view all the commands we can run as current user with root privileges.

We have a Perl Shell as root.

Without wasting any time, we spawn the perl shell and it gave us root privilege.

Command:

sudo perl -e ‘exec “/bin/sh”;’

We got our flag.