Vulnhub — DC 5

Hey everyone I hope you are doing good,this is a write up for DC-5 machine. It is a easy boot2root machine. So let’s jump in by doing a port scan on the machine

Rustscan

rustscan -a 192.168.1.5 -- -A -sC -sVOpen 192.168.1.5:80                                             
Open 192.168.1.5:111
Open 192.168.1.5:46209
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 64 nginx 1.6.2
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.6.2
|_http-title: Welcome
111/tcp open rpcbind syn-ack ttl 64 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 36602/tcp6 status
| 100024 1 46209/tcp status
| 100024 1 49690/udp6 status
|_ 100024 1 56402/udp status
46209/tcp open status syn-ack ttl 64 1 (RPC #100024)
MAC Address: 08:00:27:01:36:B6 (Oracle VirtualBox virtual NIC)

PORT 80 (HTTP)

Running gobuster on the website

footer.php looked interesting

After refreshing the page the copyright text changes

But thankyou.php had footer.php so there the text was also changing on reload , which was a hint for the box to look for a page which reloads

I went to contact.php

Filled the details and submitted them , it redirected me to thankyou.php with the url having our submitted details

But here this file doesn’t suppose to having these parameters so let’s fuzz for parameters

This showed a lot of parameters with the same result so let’s filter it according to words

And we got file as a GET parameter so let’s to test for LFI (Local File Inclusion)

Since this is website is using nginx so we can read it’s log file

We can poison the nginx log with a php command injection by adding the php payload by replacing the user agent

But it didn’t work

Added that php injection command in file parameter

It was being url encoded

Now it seems to work

Finding SUID’s , I found screen-4.5.0

There’s an exploit for it on exploit-db

Transfer the exploit on target machine

But we’ll get this error when compiling it

So it seems we need to manually create and compile files

When you compile , you’ll be seeing this error

gcc: error trying to exec 'cc1': execvp: No such file or directory

So to resolve this export gcc’s path in PATH variable

export PATH=/usr/bin:$PATH

And then run these commands

  1. gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
  2. gcc -o /tmp/rootshell /tmp/rootshell.c

Finally run this command

You’ll see rootshell binary gets owned by root

Now just run that binary and you will get root on the machine

Things Learned from this machine

  1. If a page has get paramters make sure to fuzz for them
  2. If you find a LFI on a page try to read logs (apache2 or nginx) and poison the logs by adding php get parameter
  3. Look for SUID binaries
  4. Before using the exploit ,see what’s it doing

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store