Dina is a vulnhub machine. Machine is available from public domain: https://download.vulnhub.com/dina/Dina-1-0-1.ova
We start our hunting with reconnaissance, for that we use nmap tool. Using nmap we find open ports. During nmap scanning we find port 80 is open.
Find hidden directories, for that we use gobuster along with seclists.
Through scan we find a number of hidden directories. From that we check /nothing to find any credentials.
Since it look suspicious we gone check its source code. We were lucky we got some passwords.
During gobuster scan we got another directory named /secure. While checking the page we got another file named backup.zip and we are going to download it.
Since the file is .zip we are going to unzip it and found another file named backup-cred.mp3.
While reading the file we got an target URL and username
The below page was found from the former url and we got a login page. Along the URL we also got an username so we are going to check that username along with passwords we got earlier to get a successful login. After brute force we got username and password as touhid && diana.
We found playsms portal. After some research work, we found a cve exploit cve-2017-9101 and found a script based on the exploit from github.
we need to clone this to our terminal.
We got a directory named cve-2017-9101. Directory has a file named playsmshell.py in order to execute the script execute permission must be allowed to the particular file.
Pyhton3 playsmshell.py –url http://192.168.1.4/SecreTSMSgatewayLogin --username touhid --password diana -i
We use this command to get remote code execution.
Now to get reverse shell we use php command along with netcat
After the game of waiting, we got reverse shell connection. In order to get a shell environment, we use python command.
Final step is to do privilege escalation for that we run the command sudo -l and found the following result.
We got a file named /usr/bin/perl. So with that file we can do privilege escalation.
And finally, we become root now we can find the root flag.
Commenti