DC-4 : Vulnhub Walkthrough
There is only one flag, and we could see the flag only if we are root. The location of these flags are just an indicator where a good penetration tester should look. An alternative approach could also be to directly get to root.
Blog notes :
- attacker machine : I used a kali linux machine for all my attack labs.
- victim machine : It is available in vulnhub, please follow the above link.
- Enumeration : means listing and searching for information. It refers to knowing more about your victim machine. It is very general term. list of users, list of directories, list of open ports, list of vulnerabilities.
- Points of privilege escalation : A list of methods and techniques for privilege escalation. Instead of creating a list in text form, I have created a tool which automate the process of privilege escalation and other penetration steps. I have created this tool by my own experience while working on vulnhub labs.
Step 1 — Active Information Gathering
- Host discovery
- Port scanning
For the above result, only SSH and HTTP services are running. If HTTP service is running there must be webpage.
We want to know what other webpages are there in this website. To list all the pages we could use dirb tool to get this list.
This will only list directories and only common matched webpages names like “index.php”. You need to do some google search on how dirb works. Either you have a good wordlist which dirb uses to find for the sub urls or we need to search interesting files manually. The later method is a more full fledged method but it requires a good knowledge for which files to search for. I have used the later method to find .php pages for IP “192.168.137.155”. I have used Gobuster for this example, you can execute the same search for dirb too. Gobuster is a tool similar to dirb.
I found command.php, index.php, login.php, logout.php
Out of these three index, login, logout are what we usually see, but command.php is unusual. So we will first look at this webpage.
The webpage asked for username and password but we do not have one. But I have a strong feeling that something is wrong in this webpage. Hence, we try to use a very basic method of brute forcing this page using hydra or burp suite.
Step 2— Exploitation
I have do using hydra. Hydra commands are little complex at first, but with practice it will get easy. Note that hydra will not work, if the syntax of the command is wrong. Please practice before using Hydra in your testing labs. Here we have used the password list from SecLists.
We have got a hit in brute force process. User
admin and password
happy . We used this credentials to login to command.php webpage.
We executed all the three options. And I saw that URL is showing some command like syntax. So a thought came to my mind that, before the URL is sent to the victim server, what if I could exit the URL and try to execute some other command? To do this we need help of burp suite. Modify some linux commands, I saw that the commands were executing properly.
Now the first thing that comes to my mind was reverse shells. I my mind the first steps are always to get remote shell/ reverse shell first. So I used a simple one liner python reverse shell in a file and executed the file.
I got a successful reverse shell.
Step 3 — Enumeration and Privilege Escalation
As mentioned in my previous articles, we need to search for files and folder. Example, we searched for the keyword “flag” in order to find file names which contained flag, which made our job easier. Also using a very naive login could also search for a file name consisting “password” or “pass”.
Yes!!! we got what we wanted. If these method are new to you just make note of it. So we use this information to brute force the SSH.
Hence, this was one other method to get the remote shell. But this alternative way has not helped us. No, this observation is not wrong, this alternative method could give us a hint for further action. If you get more information there is mention of mail. Hence something should click what mails, and where are the mails stored?
Alternatively, as mentioned previously we used the search for filenames, but generally a password may be stored inside a file in clear text, we may run text search for the keyword “password” “Password” against all files. You will arrive to the same conclusion.
Now using the points of privilege escalation, we know in order to run command using root permission we use sudo.
This looks suspicious, there must be something going on here. If we properly explore the command “teehee” and do some google search, this gives us a way to execute commands. And we know executing commands in teehee tool will be done with root privileges. So here you can use many different method to proceed. I have used a method in which I will create a new user with root privileges and will specify user defined credentials. Then will use this user to find the final flag.
Important Takeaway from this lab :
- In Hydra tool, proper syntax is very important for it to work.
- We used dirb and Gobuster tools for URL enumeration.
- We learned of brute forcing SSH.
- We created a user with root privileges using a normal user using sudo command.
Tools Used :
- Burp Suite