Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-11-10 14:44:20 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/VulnHub/DC-5.md
ARZ e9472182bd
Add files via upload
2021-04-14 18:06:24 +05:00

4.2 KiB
Raw Blame History

Vulnhub - DC 5

Rustscan

rustscan -a 192.168.1.5 -- -A -sC -sV

Open 192.168.1.5:80                                             
Open 192.168.1.5:111                                                      
Open 192.168.1.5:46209 

PORT      STATE SERVICE REASON         VERSION                   
80/tcp    open  http    syn-ack ttl 64 nginx 1.6.2
| http-methods:                                
|_  Supported Methods: GET HEAD POST                                    
|_http-server-header: nginx/1.6.2                                               
|_http-title: Welcome            
111/tcp   open  rpcbind syn-ack ttl 64 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          36602/tcp6  status
|   100024  1          46209/tcp   status
|   100024  1          49690/udp6  status
|_  100024  1          56402/udp   status
46209/tcp open  status  syn-ack ttl 64 1 (RPC #100024)
MAC Address: 08:00:27:01:36:B6 (Oracle VirtualBox virtual NIC)

PORT 80 (HTTP)

Running gobuster on the website

footer.php looked interesting

After refreshing the page the copyright text changes

But thankyou.php had footer.php so there the text was also changing on reload , which was a hint for the box to look for a page which reloads

I went to contact.php

Filled the details and submitted them , it redirected me to thankyou.php with the url having our submitted details

But here this file doesn't suppose to having these paramters so let's fuzz for paramters

This showed a lot of parameters with the same result so let's filter it according to words

And we got file as a parameter

Since this is website is using nginx so we can read it's log file

We can poison the nginx log with a php command injection by adding the php payload by replacing the user agent

But it didn't work

Added that php injection command in file parameter

It was being url encoded

Now it seems to work

Finding SUID's , I found screen-4.5.0

There's an exploit for it on exploit-db

Transfer the exploit on target machine

But we'll get this error when compiling it

So it seems we need to manually create and compile files

Before you compile you will be seeing this error

gcc: error trying to exec 'cc1': execvp: No such file or directory

So to resolve this export gcc's path in PATH variable

export PATH=/usr/bin:$PATH

And then run these commands

  1. gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
  2. gcc -o /tmp/rootshell /tmp/rootshell.c

Finally run this command

You'll see rootshell binary gets owned by root

Now just run that binary and you will get root on the machine

Things Learned from this machine

  1. If a page has get paramters make sure to fuzz for them
  2. If you find a LFI on a page try to read logs (apache2 or nginx) and poison the logs by adding php get parameter
  3. Look for SUID binaries
  4. Before using the exploit ,see what's it doing