DC-5

[ vulnhub  boot2root  walkthrough  ]

Goal

root

Download

http://www.five86.com/dc-5.html

Walkthrough

nmap
alt text

default 80
alt text

contact page/form looks interesting, but given the hint on the download page we should be looking elsewhere
alt text

after submitting we notice the copyright says 2020 being called on thankyou.php
alt text

on multiple refreshes we see it changes between 2017, 2018, 2019, 2020
alt text alt text alt text alt text

looking at the source it doesn’t have any code so most likely a php include
alt text

quick check for LFI and we have /etc/passwd
alt text

searching through various files/paths we find we can view the nginx access log
alt text

there a bunch of posts about this type of exploit, this one is a good start

send the payload to write to the log so we can get cmd line access
alt text

with the netcat listener on the attacking system, adding cmd to use netcat and we have a reverse shell
alt text

first thing first, jailbreak
alt text

searching around nothing obvious, check suid and find that screen-4.5.0 sticks out
alt text

quick search and edb 41154 looks promising
alt text

little trial and error as running the script doesn’t work as is. searching the intrawebs htb haircut had this as a priv escalation. good note on building on attacking machine first from this post
alt text

build libhax.so
alt text

build rootshell script
alt text

build script to pull it all together and setup a listener to download the files
alt text

wget files on victim machine
alt text

make executable and run it…root
alt text

root flag
alt text

Written on April 25, 2019
Share on: