Hey everyone I hope you are doing good,this is a write up for DC-5 machine. It is a easy boot2root machine. So let’s jump in by doing a port scan on the machine
Rustscan
rustscan -a 192.168.1.5 -- -A -sC -sVOpen 192.168.1.5:80
Open 192.168.1.5:111
Open 192.168.1.5:46209 PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 64 nginx 1.6.2
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.6.2
|_http-title: Welcome
111/tcp open rpcbind syn-ack ttl 64 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 36602/tcp6 status
| 100024 1 46209/tcp status
| 100024 1 49690/udp6 status
|_ 100024 1 56402/udp status
46209/tcp open status syn-ack ttl 64 1 (RPC #100024)
MAC Address: 08:00:27:01:36:B6 (Oracle VirtualBox virtual NIC)
PORT 80 (HTTP)
Running gobuster on the website
footer.php looked interesting
After refreshing the page the copyright text changes
But thankyou.php had footer.php so there the text was also changing on reload , which was a hint for the box to look for a page which reloads
I went to contact.php
Filled the details and submitted them , it redirected me to thankyou.php with the url having our submitted details
But here this file doesn’t suppose to having these parameters so let’s fuzz for parameters
This showed a lot of parameters with the same result so let’s filter it according to words
And we got file as a GET parameter so let’s to test for LFI (Local File Inclusion)
Since this is website is using nginx so we can read it’s log file
We can poison the nginx log with a php command injection by adding the php payload by replacing the user agent
But it didn’t work
Added that php injection command in file parameter
It was being url encoded
Now it seems to work
Finding SUID’s , I found screen-4.5.0
There’s an exploit for it on exploit-db
Transfer the exploit on target machine
But we’ll get this error when compiling it
So it seems we need to manually create and compile files
When you compile , you’ll be seeing this error
gcc: error trying to exec 'cc1': execvp: No such file or directory
So to resolve this export gcc’s path in PATH variable
export PATH=/usr/bin:$PATH
And then run these commands
- gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
- gcc -o /tmp/rootshell /tmp/rootshell.c
Finally run this command
You’ll see rootshell binary gets owned by root
Now just run that binary and you will get root on the machine
Things Learned from this machine
- If a page has get paramters make sure to fuzz for them
- If you find a LFI on a page try to read logs (apache2 or nginx) and poison the logs by adding php get parameter
- Look for SUID binaries
- Before using the exploit ,see what’s it doing
