top of page
Search

Dina

  • Writer: bikupothen1615
    bikupothen1615
  • Mar 3, 2022
  • 2 min read

Dina is a vulnhub machine. Machine is available from public domain: https://download.vulnhub.com/dina/Dina-1-0-1.ova

ree

We start our hunting with reconnaissance, for that we use nmap tool. Using nmap we find open ports. During nmap scanning we find port 80 is open.

ree

Find hidden directories, for that we use gobuster along with seclists.

ree

Through scan we find a number of hidden directories. From that we check /nothing to find any credentials.

ree

Since it look suspicious we gone check its source code. We were lucky we got some passwords.

ree

During gobuster scan we got another directory named /secure. While checking the page we got another file named backup.zip and we are going to download it.

ree

ree

Since the file is .zip we are going to unzip it and found another file named backup-cred.mp3.

ree

While reading the file we got an target URL and username

ree

The below page was found from the former url and we got a login page. Along the URL we also got an username so we are going to check that username along with passwords we got earlier to get a successful login. After brute force we got username and password as touhid && diana.


ree

ree

We found playsms portal. After some research work, we found a cve exploit cve-2017-9101 and found a script based on the exploit from github.

we need to clone this to our terminal.

ree

We got a directory named cve-2017-9101. Directory has a file named playsmshell.py in order to execute the script execute permission must be allowed to the particular file.

Pyhton3 playsmshell.py –url http://192.168.1.4/SecreTSMSgatewayLogin --username touhid --password diana -i

We use this command to get remote code execution.

ree

Now to get reverse shell we use php command along with netcat

ree

ree

After the game of waiting, we got reverse shell connection. In order to get a shell environment, we use python command.

ree

Final step is to do privilege escalation for that we run the command sudo -l and found the following result.

ree

We got a file named /usr/bin/perl. So with that file we can do privilege escalation.

ree

And finally, we become root now we can find the root flag.

ree

 
 
 

Recent Posts

See All

Comments


bottom of page