DC-5 vulnhub walkthrough
My new write-up will be for DC-5 machine from Vulnhub which can be downloaded from the following URL : https://www.vulnhub.com/entry/dc-5,314/
In this article you will learn the following:
- Using nmap to find opened ports & running services.
- Fuzzing web pages to find vulnerabilities.
- Exploiting LFI vulnerability.
- Poisoning the log files with malicious PHP code.
- Getting reverse shell using LFI vulnerability.
- Privilege escalation using SUID binaries.
As usual, after downloading and importing it to the virtualization software I have to get its IP address. I found that the IP address is : 10.0.2.9
After that, I performed a port scan using nmap to find the open ports and the running services. i found that there are only two open ports (80 for HTTP service and 111 for RPC service). So, I decided to start enumerating the HTTP service by visiting it using Firefox.
After visiting it, I found one interesting page which is “thankyou.php” which takes many parameters.
I tried to play with them but with no success. So, I decided to fuzz it to find if this page accepts other hidden parameters. To do that, I used wfuzz tool. I tried to fuzz different types of attacks such as Injection, LFI, … etc. I found that this page accepts a parameter called “file” and this parameter is vulnerable to LFI vulnerability.
So, I tried to view many files like : /etc/passwd, /etc/shadow, & /var/log/nginx/access.log. I found that some of them can be viewed (passwd & access.log).
I tried to perform RFI attack but with no success. So, I tried many ways to gain a shell access on the back-end server and finally got it. I got the shell access by using log poisoning.
I poisoned the access.log file with a malicious PHP code to create a reverse shell using nc. The PHP code was injected in the user-agent field of the access.log file.
Once loading the access.log file again using the LFI I got a reverse shell to my Kali Linux machine. After that, I checked the binaries that has SUID bit. I found an interesting one (screen-4.5.0). So, I used searchsploit utility to find if there is a root exploit for this binary and I found that it is vulnerable to root exploit 😀
I tried to move the shell script exploit to the target machine and execute it but the exploit not work. So, I opened it and found that it tries to create some files and write some data inside them.
What I did was manually creating those files and save the data inside them as follows:
Then, I compiled both “rootshell.c” and “libhax.c” files and move them with “41154.sh” file to the target machine as follows:
Finally, I change the permission for the “41154.sh” file to be executed script and run it to get the root privilege and read the file contains the flag.