CTF WriteupsVulnhub Writeups

DC-5 vulnhub walkthrough

Vulnhub vulnerable machines

June 10, 2019
0 4,530 1 minute read

DC-5 vulnhub walkthrough

 

My new write-up will be for DC-5 machine from Vulnhub which can be downloaded from the following URL : https://www.vulnhub.com/entry/dc-5,314/

In this article you will learn the following:

  • Using nmap to find opened ports & running services.
  • Fuzzing web pages to find vulnerabilities.
  • Exploiting LFI vulnerability.
  • Poisoning the log files with malicious PHP code.
  • Getting reverse shell using LFI vulnerability.
  • Privilege escalation using SUID binaries.

As usual, after downloading and importing it to the virtualization software I have to get its IP address. I found that the IP address is : 10.0.2.9

After that, I performed a port scan using nmap to find the open ports and the running services. i found that there are only two open ports (80 for HTTP service and 111 for RPC service). So, I decided to start enumerating the HTTP service by visiting it using Firefox.

After visiting it, I found one interesting page which is “thankyou.php” which takes many parameters.

I tried to play with them but with no success. So, I decided to fuzz it to find if this page accepts other hidden parameters. To do that, I used wfuzz tool. I tried to fuzz different types of attacks such as Injection, LFI, … etc. I found that this page accepts a parameter called “file” and this parameter is vulnerable to LFI vulnerability.

So, I tried to view many files like : /etc/passwd, /etc/shadow, & /var/log/nginx/access.log. I found that some of them can be viewed (passwd & access.log).

I tried to perform RFI attack but with no success. So, I tried many ways to gain a shell access on the back-end server and finally got it. I got the shell access by using log poisoning.

I poisoned the access.log file with a malicious PHP code to create a reverse shell using nc. The PHP code was injected in the user-agent field of the access.log file.

Once loading the access.log file again using the LFI I got a reverse shell to my Kali Linux machine. After that, I checked the binaries that has SUID bit. I found an interesting one (screen-4.5.0). So, I used searchsploit utility to find if there is a root exploit for this binary and I found that it is vulnerable to root exploit 😀

I tried to move the shell script exploit to the target machine and execute it but the exploit not work. So, I opened it and found that it tries to create some files and write some data inside them.

What I did was manually creating those files and save the data inside them as follows:

Then, I compiled both “rootshell.c” and “libhax.c” files and move them with “41154.sh” file to the target machine as follows:

Finally, I change the permission for the “41154.sh” file to be executed script and run it to get the root privilege and read the file contains the flag.

Tags

Related Articles

SilkyCTF

SilkyCTF 0x01 vulnhub walkthrough

June 2, 2019

CipherTextCTF v2 Writeups Misc

April 27, 2020

CipherTextCTF v2 Writeups Forensics

April 28, 2020

DC-2 vulnhub walkthrough

May 26, 2019

Leave a Reply

Your email address will not be published. Required fields are marked *

© Copyright 2020, All Rights Reserved  | 
Back to top button
Close