Today we are working on Vulnhub.com’s DC: 4, a boot-to-root by @DCAU7 that is rated beginner/intermediate.
Initial Enumeration
We start with our nmap scans.
We don’t get much from nmap - just ssh and http. After a quick banner check on ssh (see my last post), I moved on to enumerating the http server. The default webpage is the simple login screen that I show above. I ran bunch of Dirbuster scans using different word lists and trying different file extensions, but came up empty. What I should have done was just try to login to the webpage because it seems like just about any combination of username and password will get you in.
Foothold
Once logged in, we find a “Command” link that gives us the option of a few shell commands to run, so it should be pretty obvious that we have command injection to exploit. The request captured in Burp Suite looks like this:
I sent that to Repeater and tried a few simple commands to verify I got good output. I sent a “which+nc” to verify netcat was installed and then I attempted a netcat reverse shell.
We get a shell as user www-data.
User Escalation 1
If we go to the /home directory, we see that there are three users: charles, jim, and sam. Charles’ directory didn’t yield anything interesting, but jim has a backup folder.
I copied the list of passwords to my kali box to see if any of them will work for ssh access. I called the file dc4-pwlist. Since this is a small list of passwords, I also created a file dc4-userlist containing charles, jim, and sam just in case one of the passwords worked for the other known users. I then used hydra to brute force ssh.
Hydra gets a hit for jim, so we can set our web shell aside and ssh to the box from now on.
User Escalation 2
One of the things I like to search for during user enumeration is files owned by the particular users. This is especially useful for finding files outside of the obvious home directories, and this time the search paid off for jim.
Searching in /var/mail is generally a good practice during enumeration if you aren’t doing it already. We check out jim’s mail.
A quick su and now we are user charles. Usually the first thing I check with a new user is for sudo privileges.
Root Escalation
Charles can run a binary called teehee as root. After playing around with the binary for a bit, I realized it is just a renamed version of the tee command, which we can use to write to files. I thought of some options for how to abuse tee to get root and after trying a few of those ideas unsuccessfully I decided to rewrite /etc/passwd to remove the password from the root user. I made my edits to the file on my kali box so that I could paste the entire file back in at once.
Now that root doesn’t have a password, we simply su and grab our root flag!
How did you abuse teehee to get to root? Did you find a more elegant way? Drop me a comment to let me know. Thanks for reading!
