Dina: 1.0 Vulnhub Walkthrough
Hello Guys! This is Russell Murad working as a Junior Security Engineer at Enterprise Infosec Consultants (EIC).
In this writeup, we’ll break a machine named “Dina: 1.0”. You can download it from here.
So, let’s get started…
- First, we are going to check our victim machine’s IP using arp-scan.
2. Then we need to find some open ports using nmap.
3. Here we’ll see only 1 open port — 80 for HTTP which is enough for us for now. Besides, there are some directories we can see. For finding more — we’ll use goBuster.
4. Now we’ll browse the site from our kali machine.
5. From the previous directory list if we browser the “/robots.txt” then we’ll see another list of directories that will be useful for us.
6. We’ll browser each and every directory one by one.
7. Here in the “/nothing” directory, we’ll find a list of passwords. Damn!
8. In the “/secure” directory we’ll find a zip file named backup.zip. Let’s download it.
9. Now we’ll try to open the zip file. But it’ll ask for the password. We’ll use “freedom” from the password list which will work!
10. It seems it’s an mp3 file but some text is hidden inside it.
11. We’ll just open it using cat and will find out a username and URL path.
12. If we browser that directory we’ll see that it’s a Free and Open Source SMS Gateway Software environment named “playSMS”. We’ll use the username we’ve found name “touhid” and password from the previous password list — diana.
13. We can see that we’ve successfully logged in to our account.
14. Now we’re googling for playSMS exploit. There are many exploits for this platform out there. We’ll choose a manual one.
15. Mainly it’s a file upload / RCE vulnerability exploit. Where it says, if we write any code into a PHP file name, it’ll execute.
Just like that!
16. So there is a problem. We can’t use “/” slashes in the file name. So, we need to convert our shell name into Base64 format. Then upload it to the playSMS. Which will decode and process into the backend server.
17. Now if we open Netcat listener we’ll get the response from the server.
18. We’ll check sudo permission. There we’ll see we can run Perl without any kind of password. Let’s try a Perl bash shell for getting root. And it’ll work like a charm!
19. We’ll head straight to the “/root” folder for the flag file and open it.
So, guys, that’s how we can break this machine! Hope we’ll see in the next write-up.
Thank you for reading this write-up. Cheers!
