Magda is Hacking Series: DC 9 Boot to Root Challenge Write-Up

In this article, I am sharing with you a different perspective on how to hack DC: 9 Boot to Root Challenge, with details about various vulnerabilities, including SQL Injection, LFI, etc. I have minimized the use of automated tools on purpose.

The machine is hosted on Vulnhub website. Credit for this machine goes to DCAU. Download this lab by clicking here.

The article will include:

§ Setup Details

§ Penetration Testing Methodology

§ Useful Tools and Command

§ Concept Definitions

§ Exploitation Details

I. Setup Details

Before starting the challenge, you will need to install VMware® Workstation 15 Player. This is my choice. You could as well use VirtualBox. I have used VMware® Workstation 15 Player 15.5.2. As per 6th of June 2020, the latest version of VMware had bugs. For information, I am using a Windows machine.

1. The challenge requires you to download the machine from the Vulnhub website. The download will be a .zip file, that you will need to extract to get DC-9.ova file. The OVA file is an Open Virtualization Appliance that contains a compressed, “installable” version of the virtual machine.

2. You need top the VMware and import the OVA file. This process may take several minutes, depending on the size of your OVA file. You will then have your Kali and the target machine available within VMware Workstation Player to run as per below picture.

3. To start your challenge, you need to start both machines, your KALI and your victim machine. I used a specific custom virtual network for the challenge.

The NAT device is connected to the VMnet8 virtual switch. It waits for packets from virtual machines on the VMnet8 virtual network and translates the address of the VM to that of the host before forwarding the packet to the external network.

The host computer has an adapter on the NAT network (identical to the host-only adapter on the host-only network). This adapter allows the host and the virtual machine to communicate with each other. The NAT never forwards traffic from the host adapter.

II. Penetration Testing Methodology, Useful Tools & Commands

The methodology here for this machine will not differ from most common penetration testing methodologies, however we will need to refrain from using automated tools.

• Network Scanning

The first step here is to ensure that you have a good way to scan and discover hosts within the network. We need to know what is the IP address of the targeted machine, right ?

For that, I usually use Netdiscover.

netdiscover is an active/passive ARP reconnaissance tool, it can passively discover online hosts or search for them by sending ARP requests. It can be used to check your network’s ARP traffic, or find network addresses using auto scan mode, which will scan for common local networks, using private network IPs, as per RFC1918.

As a reminder, the Internet Engineering Task Force (IETF) has directed the Internet Assigned Numbers Authority (IANA) to reserve the following IPv4 address ranges for private networks.

Source: Wikipedia

When you have the list of discovered hosts, remember not to hack your own machine or another one that is not your target one. You can check the MAC address of your target VM, within the Network Adapter Advanced Settings, as per below:

For additional information, for each host-only or NAT network, the accessible IP addresses are broken using the conventions shown in the tables below, where <net> is the network number designated to your host-only or NAT network. VMware Workstation uses a Class C address for host-only and NAT networks, at all times.

This could help you understand how VMware configures the IP addresses.

Source: https://www.vmware.com/support/ws55/doc/ws_net_advanced_ipaddress.html

• Enumeration

Now that I have my host IP, I can start the enumeration. For that I use the famous command/tool nmap. Nmap can use scans that provide the OS, version, and service detection for individual or multiple devices.

My favourite use is nmap -sV -Pn –script vuln <target IP>

-Pn (No ping)

This option skips the Nmap discovery stage altogether. Nmap only performs heavy probing such as port scans, version detection, or OS detection against hosts that are found to be up. Disabling host discovery with -Pn causes Nmap to attempt the requested scanning functions against every target IP address specified.

-sV

Adding the -sV option enables Nmap version detection.

The result of the command shows us what services are available and perhaps vulnerable. The findings are:

o Port 22 is filtered.

o Port 80 is open, running an Apache vulnerable server.

One important step in penetration testing in my opinion is to check the webpage when/if available. Let’s go then.

Interesting discovery here! However, let’s check what is on the website first.

Display All Records menu tap shows a list of users, that are staff of this company, including a Systems Administrator.

Before trying to exploit the target machine, I will try to find more details in order to move forward. I will use the command dirb and enumerate the folders and files.

Now, that I have had the chance to check the target machine, let’s try to exploit it.

• Exploitation

I would first try to find out if I can exploit the website as the Apache server seemed to be vulnerable, and SSH is filtered. Filtered means that a firewall or other barrier is blocking the port so that Nmap cannot tell whether it is open or closed.

Before that, I still tried admin/admin on the available form. It did not work…

Apache 2.4.38 version presents various vulnerabilities.

The vulnerabilities do not seem to me very interesting at the moment. I will go back to the website and check it out again.

Going back to our initial enumeration, we have found the below:

o http://192.168.111.129/search.php

o http://192.168.111.129/manage.php

o http://192.168.111.129/index.php

o http://192.168.111.129/welcome.php

o http://192.168.111.129/index.php

o http://192.168.111.129/display.php

o http://192.168.111.129/results.php

Here I went through each of those and guess what I have found …

The welcome.php shows me as logged-in with an admin account, and an error message. I immediately think about the Local File Inclusion (LFI) vulnerability.

Local File Inclusion (LFI) allows to include files on a server through the web browser. This vulnerability exists when a web application includes a file without correctly sanitising the input, allowing to manipulate the input and include other files from the web server.

LFI vulnerabilities are easy to identify and exploit. Any script that includes a file from a web server needs further LFI testing. Using LFI we can retrieve files from the local server, and we can execute files of the local server. It is also possible to find lot of information about our target system/machine by just traversing through the file system such as /proc/sched_debug file to find what processes are running on system, /etc/shadow sometimes is readable and shows passwords, mysql config file having database credentials etc.

Let’s try with the path: 192.168.111.129/manage.php?file=../../../../../../../etc/passwd. It seems to work, and brings me to the below screen:

It is time to analyse the error, as we might find a lot of information here.

I have tried as well /proc/sched_debug — sched_debug shows pretty well interpreted info per CPU. It even prints out the list of runnable tasks on each CPU:

I copied the error into a word file, and checked what we can find:

From the word file, I have gathered a few information:

o “kworker” is a placeholder process for kernel worker threads, which perform most of the actual processing for the kernel, especially in cases where there are interrupts, timers, I/O, etc.

o “dhclient” is the Dynamic Host Configuration Protocol (DHCP) Client one would use to allow a client to connect to a DHCP server.

o “systemd-logind” is a system service that manages user logins. It is responsible for: Keeping track of users and sessions, their processes and their idle state.

o “agetty” opens a tty port, prompts for a login name and invokes the /bin/login command. It is normally invoked by init(8).

o “knockd” is a port-knock server. Port knocking works by configuring a service to observe firewall logs or packet capture interfaces for connection attempts. If a specific sequence of predefined connection attempts (or “knocks”) are made, the service will modify the firewall rules to open up connections on a certain port.

Those ports are opened on demand if — and only if — the connection request provides the secret knock. !! ‘

We had the SSH port that was filtered, let’s try that one. The knock shows: knockd 587 2979.008712 25 120 0.000000 14.423607 0.000000 0 0.

We need to find the secret knock now. As part of the configuration for knocking, the server should have /etc/knockd.conf configuration file.

Et voila:

We have the required sequence, which is 7469, 8475, 9842. I need now to install knock on my KALI.

Let’s start knocking then with the command: knock -v 192.168.111.129 7469 8475 9842

And it worked, the port SSH is open now:

Let’s discover what is behind the SSH port now.

We see OpenSSH 7.9p1.

We still need username and password to get into the SSH and connect. I have tried another command related to LFI: 192.168.111.129/manage.php?file=../../../../../etc/security/access.conf. The /etc/security/access.conf file specifies (user/group, host), (user/group, network/netmask) or (user/group, tty) combinations for which a login will be either accepted or refused.

I try to run hydra for a brute force attack, with the command hydra. I love the seclists, and I am using one of danielmiessler biggest one: https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt

It looks slightly slow :D though!

I need to get another way and get the users with their passwords. Let’s run Burp Suite and try to analyse what happens. For that, we need to configure the network settings in Firefox preferences, as per below:

In Burp Suite, I have also configured the target machine:

The result does show me what happens when I search for “magda”.

The result shows us a POST request.

GET and POST are used to request a web page and are commonly used in HTTP. HEAD operates exactly like GET, but the server returns just the headers in the response. The weakness of GET is that it approves any parameters via the URL and is easy to exploit. It is recommended to use POST for requests because the parameters are sent in the HTTP payload. The HTTP POST method sends data to the server, and the type of the body of the request is indicated by the Content-Type header.

Now, that I can see what happens, I need to analyse if I am able to exploit it. Let’s try with SQL injection. That one is straight forward.

The result shows that the search.php is vulnerable indeed.

I have a hint here perhaps. Looking at SQL injections in details, we know that when the results of the query are returned within the responses, the UNION keyword can be used to retrieve data from other tables within the database. This is the UNION attack.

I need to determine the number of columns before I would be able to proceed with a UNION attack.

My first attempt is with ORDER BY. I have tried the ‘ ORDER BY 1 — but it did not succeed.

The second method involves submitting a series of UNION SELECT payloads specifying a different number of null values:

‘ UNION SELECT NULL —

‘ UNION SELECT NULL ,NULL —

Etc.

Finally, this below worked:

‘ UNION SELECT NULL, NULL, NULL, NULL, NULL, NULL —

For information, on MySQL, the double-dash sequence must be followed by a space. Alternatively, the hash character # can be used to identify a comment.

The result shows:

The number of nulls does match the number of columns, in this case. We have 6 NULLS, which should represent 6 columns.

Let’s see if we can inject some value there, with the following command,

‘ UNION SELECT NULL,NULL,NULL,NULL,NULL,’MAGDA_IS_HACKING’ — ,

I am able to populate the email field, then the phone field.

As an error does not occur, and the application’s response contains the additional content including the injected string value, then the relevant column is suitable for retrieving string data.

This might as well mean that I can execute commands on those fields …

It indeed worked and following the command “ ‘ UNION SELECT NULL,NULL,NULL,NULL,(SELECT @@version),NULL — “, I retrieved information about the database — I tried as well other commands and they seemed to work. We now know that the database is called “Staff”, and we have the content listed with the previous commands. We are still missing usernames and passwords, as well as the list of tables.

It seems really time consuming, so let’s try SQLmap. I run the command: sqlmap -r MAGDA1234 -D users — dump-all –batch and got the below result:

Let’s try those to connect to our SSH open port, brute forcing with hydra:

I get access to Chandler (I love the series “Friends” !! ).

I can see some Cron files. By default, Cron runs as root when executing /etc/crontab, so any commands or scripts that are called by the crontab will also run as root.

I have tried the cron job but it was denied.

Let’s try joeyt, and janitor. Joeyt did not get anywhere either.

Janitor desktop brings us here:

Found new passwords within a file:

Let’s add those for a hydra work.

The sudo-l command shows us that the only command that can be run without password is the below:

We can create a user and a password hash with the command: openssl passwd -1 -salt mag 123456

Ok we have the user and the password hash. We can use the below command to add the user as a root:

echo ‘mag:$1$mag$HNW2.BX6qGYdkaqJH1Wtf/:0:0::/root:/bin/bash’ >> /tmp/lil

sudo ./test /tmp/lil /etc/passwd

su mag

• Post Exploitation

Post-exploitation implies the activities taken after a session is opened. A session is an open shell from a successful exploit.

At the end, I was very tired… 😊 so apologies for the reduced amount of explication …

I hope you enjoy reading this walk through, and I promise I will publish many more … Hopefully …

Disclaimer

My blogs are for informational and educational purposes only. The articles, blogs, videos, examples and all information is only for those who are interested to learn about Ethical Hacking, Security, and Penetration Testing. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. I do not promote, encourage, support or excite any illegal activity or hacking without written permission in general.